CVE-2025-62800: 
Homebrew vulnerability analysis and mitigation

CVE-2025-62800 is a reflected Cross-Site Scripting (XSS) vulnerability discovered in FastMCP's OAuth callback mechanism. The vulnerability was disclosed on October 29, 2025, affecting FastMCP versions prior to 2.13.0. The issue exists in the client's callback page where user-controlled content is embedded without proper escaping or sanitization during the OAuth flow (GitHub Advisory, Miggo).

The vulnerability is located in the create_callback_html function within src/fastmcp/client/oauth_callback.py. The function embeds values passed via the message parameter into the callback page without proper sanitization. The issue affects multiple parameters, with the error GET parameter being a primary vector. The vulnerability has an EPSS score of 0.23941% and is classified under CWE-79 (Improper Neutralization of Special Elements used in an SQL Command) (Miggo).

The vulnerability allows attackers to execute arbitrary JavaScript code in the victim's browser within the callback server's origin. This can be triggered either through direct access to the callback URL or through a malicious authorization server that returns an exploitation URL in the authorization_endpoint field (GitHub Advisory).

The vulnerability has been patched in FastMCP version 2.13.0. The fix includes adding HTML escaping to various helper functions including create_info_box, create_page, create_status_message, and create_detail_box. Users are advised to upgrade to the patched version (Miggo).