Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2025-69196

created 1 month ago

FastMCP OAuth Proxy token reuse across MCP servers

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.

References

https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-5h2m-4q8j-pqpj x_refsource_CONFIRM

Affected products

fastmcp

==< 2.14.2

Matching in nixpkgs

pkgs.python312Packages.fastmcp

Fast, Pythonic way to build MCP servers and clients

nixos-25.11 2.12.5
- nixos-25.11-small 2.12.5
- nixpkgs-25.11-darwin 2.12.5

pkgs.python313Packages.fastmcp

Fast, Pythonic way to build MCP servers and clients

nixos-unstable 2.14.5
- nixpkgs-unstable 2.14.5
- nixos-unstable-small 2.14.5
nixos-25.11 2.12.5
- nixos-25.11-small 2.12.5
- nixpkgs-25.11-darwin 2.12.5

Package maintainers

@GaetanLepage Gaetan Lepage <gaetan@glepage.com>