CVE-2025-4143: 
JavaScript vulnerability analysis and mitigation

The OAuth implementation in workers-oauth-provider, which is part of the MCP framework (https://github.com/cloudflare/workers-mcp), contained a vulnerability where it failed to correctly validate that redirect_uri was on the allowed list of redirect URIs for the given client registration. The vulnerability was discovered and disclosed on April 30, 2025 (NVD, Wiz).

The vulnerability stems from a missing validation check in the OAuth implementation. While the system implemented validation when exchanging the authorization code for an access token, it failed to implement the crucial check during the authorization flow. The vulnerability has been assigned a CVSS 4.0 Base Score of 6.0 (MEDIUM) with vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/U:Amber (NVD).

Under certain circumstances, if a victim had previously authorized with a server built on workers-oauth-provider, and an attacker could later trick the victim into visiting a malicious website, the attacker could potentially steal the victim's credentials to the same OAuth server and subsequently impersonate them. The attack is possible when the OAuth server's authorized callback is designed to auto-approve authorizations that appear to come from an OAuth client that the victim has previously authorized (NVD).

The vulnerability has been fixed in a pull request to the workers-oauth-provider repository. The fix implements proper validation of redirect URIs against the allowed list during both the authorization flow and token exchange (CloudFlare PR).