CVE-2025-62800 MEDIUM

CVE-2025-62800: FastMCP vulnerable to reflected XSS in client's callback page

Vendor Jlowin
Product fastmcp
Weakness CWE-79 · XSS
Published October 28, 2025
Last update October 29, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page (oauth_callback.py) where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScript execution in the callback server origin. The issue is fixed in version 2.13.0.

Key dates

02Disclosure timeline

October 28, 2025 CVE published
October 29, 2025 Record updated