FastMCP OAuth Proxy Consent Validation Vulnerability Leading to Confused Deputy

A Confused Deputy vulnerability exists in FastMCP versions prior to 3.2.0, specifically within the OAuth integration with GitHub. The issue arises because the FastMCP OAuthProxy fails to properly validate user consent when receiving authorization codes from GitHub. This flaw, combined with GitHub's practice of bypassing the consent page for previously authorized clients, allows an attacker to exploit the OAuth flow and gain unauthorized access to resources on behalf of a user.

Impact

Exploitation of this vulnerability allows an attacker to access resources on a FastMCP server using the GitHub account of a victim, potentially leading to unauthorized actions or data access within that account.

Reproduction

To reproduce this vulnerability, set up a FastMCP server with the GitHubProvider OAuth integration. Connect a benign MCP client to this server, then log into a GitHub account that has previously authorized an MCP client. Next, connect a malicious MCP client to the same server. After confirming the consent prompt for the malicious client, intercept the authorization request and copy the authorization URL. This URL can then be used to lure a victim into granting access to the malicious client, which will receive a valid authorization code that can be exchanged for an access token, allowing access to the victim's resources on the MCP server.

Remediation

Users can update to FastMCP version 3.2.0 or later, where this vulnerability has been patched.