CVE-2025-4144
MEDIUM EPSS 38.5%
Published May 1, 20251y ago · Modified Jun 17, 20261w ago
5.3 CVSS 4.0
Published May 1, 2025 1y ago
Last Modified Jun 17, 2026 1w ago
Description
PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped. Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/27 https://github.com/cloudflare/workers-oauth-provider/pull/27 Impact: PKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension in OAuth 2.0 which became required in the OAuth 2.1 draft. (Note that the MCP specification requires OAuth 2.1.). This bug completely bypasses PKCE protection.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X
Threat Intelligence
EPSS Exploit Probability
38.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-287 Improper Authentication Authentication
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| cloudflare | workers-oauth-provider | 0.0.5 | any |
References 1
- github.com https://github.com/cloudflare/workers-oauth-provider/pull/27
Remediation
- github.com https://github.com/cloudflare/workers-oauth-provider/pull/27