CVE-2025-69196
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk28th percentile - higher than 28% of all known CVEs
Summary
In the FastMCP library before version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. The token is issued for the base_url passed to the OAuthProxy during initialization, not for the specific MCP server.
Risk Assessment
The organization is at risk of unauthorized access to resources because the token may be used for a different server than intended, potentially leading to access control breaches.
Recommendation
Immediately update the FastMCP library to version 2.14.2 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.

