CVE-2025-4144: 
JavaScript vulnerability analysis and mitigation

PKCE (Proof Key for Code Exchange) was implemented in the OAuth implementation in workers-oauth-provider, which is part of the MCP framework. The vulnerability, identified as CVE-2025-4144, was discovered in April 2025 and allows an attacker to bypass PKCE protection by causing the check to be skipped. The issue affects the workers-oauth-provider component and has been assigned a CVSS v4.0 score of 5.3 (MEDIUM) (NVD, Wiz).

The vulnerability specifically affects the PKCE implementation in the workers-oauth-provider component. PKCE, which was an optional extension in OAuth 2.0 and became required in OAuth 2.1 draft, serves as a defense-in-depth mechanism against certain types of attacks. The vulnerability has been assigned a CVSS v4.0 vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Amber (NVD).

The vulnerability completely bypasses PKCE protection, which is particularly concerning as PKCE is a required security mechanism in OAuth 2.1. This bypass could potentially expose the OAuth flow to attacks that PKCE was designed to prevent. The impact is especially significant since the MCP specification requires OAuth 2.1 compliance (NVD, Wiz).

The vulnerability has been fixed through a pull request in the workers-oauth-provider repository. Users should update to the version that includes the fix from the GitHub pull request (GitHub PR).