PyPI: fastmcp
CVE-2025-69196
Safety vulnerability ID: SFTY-20260316-32346
Safety legacy ID: pyup.io-89420
Affected versions of the fastmcp package are vulnerable to Improper Input Validation due to incorrect handling of the OAuth resource parameter during token issuance. In src/fastmcp/server/auth/oauth_proxy.py, the OAuthProxy initialises JWTIssuer with issuer=str(self.base_url) and audience=f"{str(self.base_url).rstrip('/')}/mcp", so issued access and refresh tokens are bound to the proxy base_url rather than the client-supplied target resource, preventing MCP servers from verifying that a token was issued specifically for them.
Overview
FastMCP OAuth Proxy token reuse across MCP servers
Advisory
Affected versions of the fastmcp package are vulnerable to Improper Input Validation due to incorrect handling of the OAuth resource parameter during token issuance. In src/fastmcp/server/auth/oauth_proxy.py, the OAuthProxy initialises JWTIssuer with issuer=str(self.base_url) and audience=f"{str(self.base_url).rstrip('/')}/mcp", so issued access and refresh tokens are bound to the proxy base_url rather than the client-supplied target resource, preventing MCP servers from verifying that a token was issued specifically for them.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260316-32346/CVE-2025-69196
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69196
- https://data.safetycli.com/changelogs/fastmcp/
- https://github.com/advisories/GHSA-5h2m-4q8j-pqpj
- https://pypi.org/project/fastmcp
- https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-5h2m-4q8j-pqpj
- https://nvd.nist.gov/vuln/detail/CVE-2025-69196
- https://github.com/advisories/GHSA-5h2m-4q8j-pqpj
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more