CVE-2025-4143

Name of the Vulnerable Software and Affected Versions workers-oauth-provider (affected versions not specified)

Description The OAuth implementation in workers-oauth-provider did not correctly validate that the redirect uri was on the allowed list of redirect URIs for the given client registration. This could potentially allow an attacker to steal a victim's credentials to the same OAuth server and impersonate them, under certain circumstances. The attack requires the victim to have previously authorized with a server built on workers-oauth-provider and the attacker to trick the victim into visiting a malicious website. The OAuth server's authorized callback must be designed to auto-approve authorizations that appear to come from an OAuth client that the victim has authorized previously.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.