Primary

Context

Cloudflare Workers OAuth Provider PKCE Bypass Vulnerability

Vulnerability

A vulnerability exists in the OAuth implementation of Cloudflare Workers OAuth Provider, part of the MCP framework, which allows attackers to bypass the Proof Key for Code Exchange (PKCE) protection. PKCE, a defense mechanism against certain attacks, was optional in OAuth 2.0 but became mandatory in the OAuth 2.1 draft. This vulnerability undermines the PKCE requirement specified in the MCP framework.

Impact

Exploitation of this vulnerability completely bypasses the PKCE protection, which is crucial for preventing certain types of attacks in the OAuth 2.0 authorization framework.

Remediation

Users can update to the latest version of Cloudflare Workers OAuth Provider, where this vulnerability has been addressed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

5.7

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

5.7

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Cloudflare Workers OAuth Provider PKCE Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating