Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
Vulnerability Description
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub. In combination with GitHub’s behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. This issue has been patched in version 3.2.0.
CVSS Information
N/A
Vulnerability Type
未有动机的代理或中间人(混淆代理)
Vulnerability Title
FastMCP 安全漏洞
Vulnerability Description
FastMCP是Jeremiah Lowin个人开发者的一个MCP服务器构建软件。 FastMCP 3.2.0之前版本存在安全漏洞,该漏洞源于OAuthProxy未正确验证用户授权,可能导致混淆代理人攻击。
CVSS Information
N/A
Vulnerability Type
N/A