Highlights
Auth Bypass: 3 prior fixes. Scrutinize any change in this area.
packages/mcp-common/src/cloudflare-oauth-handler.ts: most-fixed (2 issues). Treat as high-risk during review.
4 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns
The bug types that recur here, drawn from past fixes, not open vulnerabilities.
Auth Bypass: The OAuth mechanism historically exposed the PKCE code verifier to the client through a base64-encoded state parameter. This could allow an attacker to intercept the state parameter and complete an authorization flow bypass. The fix securely relocated PKCE verification storage to server-side KV storage.
Cryptographic Issues: OAuth session cookies lacked cryptographic protection, exposing sensitive session data. Implementing symmetric encryption via a dedicated cookie encryption key was necessary to prevent tampering and disclosure.
Auth Bypass: A loose validation mechanism allowed resource matching bypasses against the OAuth provider. Resolving this required moving to a strict origin-only matching configuration flag.