Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-4144

Good to know:

icon
icon

Date: April 30, 2025

PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped. Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/27 https://github.com/cloudflare/workers-oauth-provider/pull/27 Impact: PKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension in OAuth 2.0 which became required in the OAuth 2.1 draft. (Note that the MCP specification requires OAuth 2.1.). This bug completely bypasses PKCE protection.

Severity Score

Related Resources (5)

https://nvd.nist.gov/vuln/detail/CVE-2025-4144
https://github.com/cloudflare/workers-oauth-provider/security/advisories/GHSA-qgp8-v765-qxx9
https://github.com/cloudflare/workers-oauth-provider
https://github.com/cloudflare/workers-oauth-provider/pull/27
https://www.mend.io/vulnerability-database/CVE-2025-4144

Severity Score

Weakness Type (CWE)

Improper Authentication

CWE-287

Top Fix

icon

Upgrade Version

Upgrade to version @cloudflare/workers-oauth-provider - 0.0.5;@cloudflare/workers-oauth-provider - 0.0.5

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us