CVE-2025-62800

Name of the Vulnerable Software and Affected Versions FastMCP versions prior to 2.13.0

Description FastMCP, a framework for building MCP applications, is affected by a reflected cross-site scripting issue. The problem exists in the OAuth client callback page (oauth callback.py) due to the insertion of unescaped user-controlled values into the generated HTML. This allows for the execution of arbitrary JavaScript code within the callback server origin.

Recommendations Update to version 2.13.0 or later.