CVE-2025-62800: 
Model Context Protocol 취약성 분석 및 완화

CVE-2025-62800 is a Cross-Site Scripting (XSS) vulnerability discovered in FastMCP's OAuth client callback functionality. The vulnerability was published on October 28, 2025, affecting FastMCP versions prior to 2.13.0 (GitHub Advisory).

The vulnerability exists in the OAuth callback page implementation located in the client/oauthcallback.py file. The issue stems from the createcallback_html function embedding user-controlled content without proper escaping or sanitization. This allows for reflected XSS attacks through various parameters, including the error GET parameter, which gets inserted directly into the callback page (GitHub Advisory).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the victim's browser within the callback server's origin. The exploitation can be triggered either through direct access to the callback URL or potentially through a malicious authorization server that returns an exploitation URL in the authorization_endpoint field (GitHub Advisory).

The vulnerability has been patched in FastMCP version 2.13.0. Users are advised to upgrade to this version or later to mitigate the risk (GitHub Advisory).