Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
PKCE bypass via downgrade attack
Vulnerability Description
PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped. Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/27 https://github.com/cloudflare/workers-oauth-provider/pull/27 Impact: PKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension in OAuth 2.0 which became required in the OAuth 2.1 draft. (Note that the MCP specification requires OAuth 2.1.). This bug completely bypasses PKCE protection.
CVSS Information
N/A
Vulnerability Type
认证机制不恰当
Vulnerability Title
workers-oauth-provider 安全漏洞
Vulnerability Description
workers-oauth-provider是Cloudflare开源的一个Cloudflare Workers的OAuth提供程序库。 workers-oauth-provider存在安全漏洞,该漏洞源于PKCE检查被绕过,可能导致保护机制失效。
CVSS Information
N/A
Vulnerability Type
N/A