CVE-2025-62800: FastMCP vulnerable to reflected XSS in client's callback page

October 29, 2025

While setting up an oauth client, it was noticed that the callback page hosted by the client during the flow embeds user-controlled content without escaping or sanitizing it. This leads to a reflected Cross-Site-Scripting vulnerability.

References

github.com/advisories/GHSA-mxxr-jv3v-6pgc
github.com/jlowin/fastmcp
github.com/jlowin/fastmcp/commit/2a20f54617a37213ed83894a8c2f0ac38a2e83a3
github.com/jlowin/fastmcp/pull/2090
github.com/jlowin/fastmcp/security/advisories/GHSA-mxxr-jv3v-6pgc
nvd.nist.gov/vuln/detail/CVE-2025-62800

Code Behaviors & Features

Detect and mitigate CVE-2025-62800 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →