CVE Catalog

CVE-2025-69196

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile - higher than 28% of all known CVEs

Summary

In the FastMCP library before version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. The token is issued for the base_url passed to the OAuthProxy during initialization, not for the specific MCP server.

Risk Assessment

The organization is at risk of unauthorized access to resources because the token may be used for a different server than intended, potentially leading to access control breaches.

Recommendation

Immediately update the FastMCP library to version 2.14.2 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS