CVE-2025-69196 — MEDIUM (6.5)

Q: How severe is CVE-2025-69196?

CVE-2025-69196 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-69196?

Check the references section above for vendor advisories and patch information. Affected products include: Jlowin Fastmcp.

Vulnerability Description

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Jlowin	Fastmcp	< 2.14.2

Related Weaknesses (CWE)

CWE-863

References

https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-5h2m-4q8j-pqpjExploitMitigationVendor Advisory

FAQ

What is CVE-2025-69196?

CVE-2025-69196 is a vulnerability with a CVSS score of 6.5 (MEDIUM). FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and t...

How severe is CVE-2025-69196?

CVE-2025-69196 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-69196?

Check the references section above for vendor advisories and patch information. Affected products include: Jlowin Fastmcp.