What is the severity of GHSA-qgp8-v765-qxx9?

The severity of GHSA-qgp8-v765-qxx9 is considered critical due to the potential bypass of authentication mechanisms.

How do I fix GHSA-qgp8-v765-qxx9?

To fix GHSA-qgp8-v765-qxx9, update the @cloudflare/workers-oauth-provider to version 0.0.5 or later.

What versions are affected by GHSA-qgp8-v765-qxx9?

GHSA-qgp8-v765-qxx9 affects versions of @cloudflare/workers-oauth-provider prior to 0.0.5.

What is PKCE in the context of GHSA-qgp8-v765-qxx9?

PKCE stands for Proof Key for Code Exchange and is a security measure within OAuth to enhance authorization flow.

What could an attacker do with GHSA-qgp8-v765-qxx9?

An attacker could exploit GHSA-qgp8-v765-qxx9 to skip critical authentication checks, leading to unauthorized access.

Vulnerability/
GHSA-qgp8-v765-qxx9

CWE

287

1/5/2025

GHSA-qgp8-v765-qxx9

First published: Thu May 01 2025(Updated: )

### Summary PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of[ MCP framework](https://github.com/cloudflare/workers-mcp). However, it was found that an attacker could cause the check to be skipped. ### Impact PKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension in OAuth 2.0 which became required in the OAuth 2.1 draft. (Note that the MCP specification requires OAuth 2.1.) This bug completely bypasses PKCE protection. ### Patches Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/27 We patched up the vulnerabilities in the latest version, v 0.0.5 of the Workers OAuth provider (https://www.npmjs.com/package/@cloudflare/workers-oauth-provider). You'll need to update your MCP servers to use that version to resolve the vulnerability. ### Workarounds None

Affected Software	Affected Version	How to fix
npm/@cloudflare/workers-oauth-provider	<0.0.5	0.0.5

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of GHSA-qgp8-v765-qxx9?
The severity of GHSA-qgp8-v765-qxx9 is considered critical due to the potential bypass of authentication mechanisms.
How do I fix GHSA-qgp8-v765-qxx9?
To fix GHSA-qgp8-v765-qxx9, update the @cloudflare/workers-oauth-provider to version 0.0.5 or later.
What versions are affected by GHSA-qgp8-v765-qxx9?
GHSA-qgp8-v765-qxx9 affects versions of @cloudflare/workers-oauth-provider prior to 0.0.5.
What is PKCE in the context of GHSA-qgp8-v765-qxx9?
PKCE stands for Proof Key for Code Exchange and is a security measure within OAuth to enhance authorization flow.
What could an attacker do with GHSA-qgp8-v765-qxx9?
An attacker could exploit GHSA-qgp8-v765-qxx9 to skip critical authentication checks, leading to unauthorized access.

collector/github-advisory-latest
source/GitHub
alias/GHSA-qgp8-v765-qxx9
alias/CVE-2025-4144
agent/software-canonical-lookup
agent/weakness
agent/last-modified-date
agent/references
agent/source
agent/softwarecombine
agent/tags
agent/first-publish-date
agent/type
agent/description
agent/event
package-manager/npm

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.