Apache-2.0
All Versions
Vulnerabilities (Public)
Known vulnerabilities and security issues detected in the extension's dependencies and code.
| Vulnerability ID | Advisory | Affected Versions | |||
|---|---|---|---|---|---|
| CVE-2026-32871 | Affected versions of the fastmcp package are vulnerable to Server-Side Request Forgery (SSRF) and Path Traversal due to improper path parameter handling in URL construction. Specifically, fastmcp/util… | Critical | – | – | <3.2.0 |
| CVE-2025-64340 | Affected versions of the fastmcp package are vulnerable to Command Injection due to improper neutralization of shell metacharacters in server names. The fastmcp install claude-code and fastmcp install… | High | – | – | <3.2.0 |
| CVE-2026-27124 | Affected versions of the fastmcp package are vulnerable to Improper Input Validation due to missing consent verification in the OAuth proxy callback flow. Specifically, OAuthProxy._handle_idp_callback… | High | – | – | <3.2.0 |
| CVE-2025-69196 | Affected versions of the fastmcp package are vulnerable to Improper Input Validation due to incorrect handling of the OAuth resource parameter during token issuance. In src/fastmcp/server/auth/oauth_p… | High | – | – | <2.14.2 |
| CVE-2025-62800 | Affected versions of the fastmcp package are vulnerable to Cross-site Scripting (XSS) due to unsanitized user-controlled content being embedded in the OAuth client’s callback HTML. The create_callback… | Medium | – | – | <2.13.0 |
| CVE-2025-62801 | Affected versions of the fastmcp package are vulnerable to Command Injection due to improper neutralization of the server_name value when constructing and launching a Windows deep link during the Curs… | Medium | – | – | <2.13.0 |
| SFTY-20251226-65730 | FastMCP updated to MCP 1.23+ due to CVE-2025-66416 | Unknown | – | – | < 2.14.0 |
| SFTY-20251030-01977 | Affected versions of the fastmcp package are vulnerable to Improper Authentication due to a Confused Deputy flaw in the built-in OAuth authorisation flow. The /authorize endpoint—when FastMCP serves a… | Unknown | – | – | <2.13.0 |
Safety Discovered Vulnerabilities
Additional security issues found by Safety, exclusive to our platform.