Bug 2448179 (CVE-2025-69196)
| Summary: | CVE-2025-69196 fastmcp: FastMCP: Improper token issuance due to incorrect resource parameter handling | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abarbaro, alizardo, anthomas, dfreiber, drow, ehelms, ggainey, jburrell, jchui, jhe, jkoehler, juwatts, ktsao, lphiri, mhulan, nboldt, nmoumoul, osousa, pcreech, psrna, rchan, smallamp, tmalecek, vkumar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in FastMCP, a framework for building MCP applications. The server does not correctly process the resource parameter provided by the client during authorization and token requests. This can lead to security tokens being issued for an unintended base URL (Uniform Resource Locator) instead of the specific MCP server. Such improper token issuance could allow an attacker to gain unauthorized access or disclose sensitive information.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-03-16 19:02:01 UTC
|