FastMCP Improper Resource Handling in OAuth Proxy Allows Token Reuse Across MCP Servers

A vulnerability in FastMCP's OAuth Proxy implementation, prior to version 2.14.2, allows for improper handling of the resource parameter in authorization and token requests. Instead of issuing tokens specific to the MCP server, tokens are issued for the base URL provided during OAuthProxy initialization. This misconfiguration enables an adversary to create a malicious MCP server that can intercept and reuse tokens across different MCP servers that use the same authorization server, violating token validation requirements and exposing protected resources.

Impact

This vulnerability allows for the theft of authentication tokens from a victim's MCP server, which can then be used to access resources on other MCP servers that share the same authorization server. This bypasses the intended token validation process and could lead to unauthorized access to sensitive tools and resources.

Reproduction

To reproduce this vulnerability, set up a benign MCP server using FastMCP's OAuth Proxy with a GitHub App's client ID and secret. Then, start a malicious authorization server and MCP server. Connect a client to the malicious MCP server and complete the OAuth flow. The stolen token can then be used to access the benign MCP server, demonstrating the token reuse vulnerability.

Remediation

To address this vulnerability, it is recommended to issue tokens specifically for the MCP server indicated in the authorization URL's resource parameter. This ensures that the receiving MCP server can properly validate the token, preventing unauthorized access from stolen tokens.