Home > Vulnerability Database > CVE-2025-62800

Mend.io Vulnerability Database

CVE-2025-62800

Good to know:

Date: October 28, 2025

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page (oauth_callback.py) where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScript execution in the callback server origin. The issue is fixed in version 2.13.0.

Severity Score

6.3

Related Resources (3)

Url: https://github.com/jlowin/fastmcp/security/advisories/GHSA-mxxr-jv3v-6pgc

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-62800

Url: https://www.mend.io/vulnerability-database/CVE-2025-62800

Severity Score

6.3

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version fastmcp - 2.13.0;fastmcp - 2.13.0;https://github.com/jlowin/fastmcp.git - v2.13.0

Learn More

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-62800

Good to know:

Date: October 28, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?