cve-2025-4143
Vulnerability from cvelistv5
Published
2025-05-01 00:19
Modified
2025-05-01 15:33
Severity ?
6.0 (Medium) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/U:Amber
Summary
Missing validation of redirect_uri on authorize endpoint
References
cna@cloudflare.comhttps://github.com/cloudflare/workers-oauth-provider/pull/26Issue Tracking, Patch
Impacted products
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4143",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-01T14:34:12.301406Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-01T15:33:28.911Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/cloudflare",
          "defaultStatus": "unaffected",
          "packageName": "workers-oauth-provider",
          "repo": "https://github.com/cloudflare/workers-oauth-provider",
          "versions": [
            {
              "lessThan": "0.0.5",
              "status": "affected",
              "version": "0",
              "versionType": "git"
            }
          ]
        }
      ],
      "datePublic": "2025-04-30T16:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThe OAuth implementation in workers-oauth-provider that is part of \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/workers-mcp\"\u003e\u003cspan style=\"background-color: transparent;\"\u003eMCP framework\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e, did not correctly validate that redirect_uri was on the allowed list of redirect URIs for the given client registration.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cb\u003eFixed in:\u0026nbsp;\u003c/b\u003e\u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/workers-oauth-provider/pull/26\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://github.com/cloudflare/workers-oauth-provider/pull/26\u003c/span\u003e\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cb\u003eImpact:\u003c/b\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e \u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eUnder certain circumstances (see below), if a victim had previously authorized with a server built on workers-oath-provider, and an attacker could later trick the victim into visiting a malicious web site, then attacker could potentially steal the victim\u0027s credentials to the same OAuth server and subsequently impersonate them.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eIn order for the attack to be possible, the OAuth server\u0027s authorized callback must be designed to auto-approve authorizations that appear to come from an OAuth client that the victim has authorized previously. The authorization flow is not implemented by workers-oauth-provider; it is up to the application built on top to decide whether to implement such automatic re-authorization. However, many applications do implement such logic.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003ci\u003eNote: It is a basic, well-known requirement that OAuth servers should verify that the redirect URI is among the allowed list for the client, both during the authorization flow and subsequently when exchanging the authorization code for an access token. workers-oauth-provider implemented only the latter check, not the former. Unfortunately, the former is the much more important check.\u0026nbsp;\u003c/i\u003e\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003ci\u003eReaders who are familiar with OAuth may recognize that failing to check redirect URIs against the allowed list is a well-known, basic mistake, covered extensively in the RFC and elsewhere. The author of this library would like everyone to know that he was, in fact, well-aware of this requirement, thought about it a lot while designing the library, and then, somehow, forgot to actually make sure the check was in the code. That is, it\u0027s not that he didn\u0027t know what he was doing, it\u0027s that he knew what he was doing but flubbed it.\u003c/i\u003e\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "The OAuth implementation in workers-oauth-provider that is part of  MCP framework https://github.com/cloudflare/workers-mcp , did not correctly validate that redirect_uri was on the allowed list of redirect URIs for the given client registration.\n\nFixed in:\u00a0 https://github.com/cloudflare/workers-oauth-provider/pull/26 https://github.com/cloudflare/workers-oauth-provider/pull/26 \n\nImpact:\n\n \n\nUnder certain circumstances (see below), if a victim had previously authorized with a server built on workers-oath-provider, and an attacker could later trick the victim into visiting a malicious web site, then attacker could potentially steal the victim\u0027s credentials to the same OAuth server and subsequently impersonate them.\n\nIn order for the attack to be possible, the OAuth server\u0027s authorized callback must be designed to auto-approve authorizations that appear to come from an OAuth client that the victim has authorized previously. The authorization flow is not implemented by workers-oauth-provider; it is up to the application built on top to decide whether to implement such automatic re-authorization. However, many applications do implement such logic.\n\nNote: It is a basic, well-known requirement that OAuth servers should verify that the redirect URI is among the allowed list for the client, both during the authorization flow and subsequently when exchanging the authorization code for an access token. workers-oauth-provider implemented only the latter check, not the former. Unfortunately, the former is the much more important check.\u00a0Readers who are familiar with OAuth may recognize that failing to check redirect URIs against the allowed list is a well-known, basic mistake, covered extensively in the RFC and elsewhere. The author of this library would like everyone to know that he was, in fact, well-aware of this requirement, thought about it a lot while designing the library, and then, somehow, forgot to actually make sure the check was in the code. That is, it\u0027s not that he didn\u0027t know what he was doing, it\u0027s that he knew what he was doing but flubbed it."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-01T00:19:52.737Z",
        "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "shortName": "cloudflare"
      },
      "references": [
        {
          "url": "https://github.com/cloudflare/workers-oauth-provider/pull/26"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Missing validation of redirect_uri on authorize endpoint",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
    "assignerShortName": "cloudflare",
    "cveId": "CVE-2025-4143",
    "datePublished": "2025-05-01T00:19:52.737Z",
    "dateReserved": "2025-04-30T16:36:33.506Z",
    "dateUpdated": "2025-05-01T15:33:28.911Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-4143\",\"sourceIdentifier\":\"cna@cloudflare.com\",\"published\":\"2025-05-01T01:15:54.127\",\"lastModified\":\"2025-05-12T19:39:43.820\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The OAuth implementation in workers-oauth-provider that is part of  MCP framework https://github.com/cloudflare/workers-mcp , did not correctly validate that redirect_uri was on the allowed list of redirect URIs for the given client registration.\\n\\nFixed in:\u00a0 https://github.com/cloudflare/workers-oauth-provider/pull/26 https://github.com/cloudflare/workers-oauth-provider/pull/26 \\n\\nImpact:\\n\\n \\n\\nUnder certain circumstances (see below), if a victim had previously authorized with a server built on workers-oath-provider, and an attacker could later trick the victim into visiting a malicious web site, then attacker could potentially steal the victim\u0027s credentials to the same OAuth server and subsequently impersonate them.\\n\\nIn order for the attack to be possible, the OAuth server\u0027s authorized callback must be designed to auto-approve authorizations that appear to come from an OAuth client that the victim has authorized previously. The authorization flow is not implemented by workers-oauth-provider; it is up to the application built on top to decide whether to implement such automatic re-authorization. However, many applications do implement such logic.\\n\\nNote: It is a basic, well-known requirement that OAuth servers should verify that the redirect URI is among the allowed list for the client, both during the authorization flow and subsequently when exchanging the authorization code for an access token. workers-oauth-provider implemented only the latter check, not the former. Unfortunately, the former is the much more important check.\u00a0Readers who are familiar with OAuth may recognize that failing to check redirect URIs against the allowed list is a well-known, basic mistake, covered extensively in the RFC and elsewhere. The author of this library would like everyone to know that he was, in fact, well-aware of this requirement, thought about it a lot while designing the library, and then, somehow, forgot to actually make sure the check was in the code. That is, it\u0027s not that he didn\u0027t know what he was doing, it\u0027s that he knew what he was doing but flubbed it.\"},{\"lang\":\"es\",\"value\":\"La implementaci\u00f3n de OAuth en workers-oauth-provider que forma parte del framework MCP https://github.com/cloudflare/workers-mcp , no valid\u00f3 correctamente que redirect_uri estuviera en la lista permitida de URI de redirecci\u00f3n para el registro de cliente dado. Corregido en: https://github.com/cloudflare/workers-oauth-provider/pull/26 https://github.com/cloudflare/workers-oauth-provider/pull/26 Impacto: Bajo ciertas circunstancias (ver abajo), si una v\u00edctima hab\u00eda autorizado previamente con un servidor construido sobre workers-oath-provider, y un atacante pudiera enga\u00f1ar posteriormente a la v\u00edctima para que visitara un sitio web malicioso, entonces el atacante podr\u00eda potencialmente robar las credenciales de la v\u00edctima al mismo servidor OAuth y posteriormente suplantarlas. Para que el ataque sea posible, la devoluci\u00f3n de llamada autorizada del servidor OAuth debe estar dise\u00f1ada para aprobar autom\u00e1ticamente las autorizaciones que parecen provenir de un cliente OAuth que la v\u00edctima ha autorizado previamente. El flujo de autorizaci\u00f3n no lo implementa workers-oauth-provider; la aplicaci\u00f3n subyacente decide si implementa o no dicha reautorizaci\u00f3n autom\u00e1tica. Sin embargo, muchas aplicaciones s\u00ed implementan esta l\u00f3gica. Nota: Es un requisito b\u00e1sico y bien conocido que los servidores OAuth verifiquen que la URI de redirecci\u00f3n se encuentre en la lista de permitidos para el cliente, tanto durante el flujo de autorizaci\u00f3n como posteriormente al intercambiar el c\u00f3digo de autorizaci\u00f3n por un token de acceso. workers-oauth-provider implement\u00f3 solo esta \u00faltima comprobaci\u00f3n, no la primera. Desafortunadamente, la primera es mucho m\u00e1s importante. Los lectores familiarizados con OAuth reconocer\u00e1n que no comprobar las URI de redirecci\u00f3n con la lista de permitidos es un error b\u00e1sico y bien conocido, ampliamente tratado en el RFC y en otras fuentes. El autor de esta librer\u00eda desea que todos sepan que, de hecho, conoc\u00eda bien este requisito, lo consider\u00f3 detenidamente durante su dise\u00f1o y, por alguna raz\u00f3n, olvid\u00f3 asegurarse de que la comprobaci\u00f3n estuviera incluida en el c\u00f3digo. Es decir, no es que no supiera lo que hac\u00eda, es que sab\u00eda lo que hac\u00eda pero lo hizo mal.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@cloudflare.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"AMBER\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"cna@cloudflare.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cloudflare:workers-oauth-provider:0.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9B01663B-708A-4C77-9347-EA3AC30A5C94\"}]}]}],\"references\":[{\"url\":\"https://github.com/cloudflare/workers-oauth-provider/pull/26\",\"source\":\"cna@cloudflare.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.