MCP OAuth Response Handling Flaw (CVE-2025-61591)

Key Takeaways

• MCP OAuth responses were processed without sufficient validation
• Untrusted MCP servers could inject commands into AI workflows
• Vulnerability enabled command execution during authentication flows
• No confirmed exploitation or breach reported
• Patch released to remediate the issue

OAuth Responses Became a Command Injection Vector

A vulnerability in how MCP clients handled OAuth responses allowed untrusted MCP servers to inject commands into AI-driven workflows. By manipulating OAuth response fields, an attacker-controlled server could influence how commands were constructed and executed. Although no active exploitation has been reported, the flaw exposed risks in authentication flows that bridge AI tools and external services.

Source: NIST National Vulnerability Database

What We Know

The issue was disclosed on October 19, 2025 and assigned CVE-2025-61591. It affects implementations of the Model Context Protocol that support OAuth-based authentication between AI clients and MCP servers.

According to the NVD entry, OAuth response parameters from MCP servers were not sufficiently sanitized before being incorporated into command execution logic. An attacker operating a malicious MCP server could craft OAuth responses that injected arbitrary commands into the client environment.

The vulnerability required interaction with an untrusted MCP server but did not require prior authentication. Updates were released to enforce stricter validation of OAuth responses and prevent command injection. No confirmed cases of real-world exploitation were noted at the time of disclosure.

Source: NIST NVD CVE-2025-61591

How the Breach Happened

This incident stemmed from unsafe handling of authentication metadata within an AI agent protocol. OAuth responses, which are typically treated as structured and trusted, were incorporated into command construction without adequate sanitization.

In AI workflows, MCP clients often automate authentication and server interaction with minimal user oversight. This automation meant that malicious OAuth responses could be processed and acted upon immediately, turning an authentication step into an execution pathway.

The flaw illustrates how AI agent protocols can inherit traditional injection risks when they blend authentication, automation, and command execution.

Why It Matters

OAuth is widely used to establish trust between systems. When OAuth responses become an injection surface, attackers can exploit a foundational security mechanism to gain control over AI workflows.

Even without confirmed exploitation, the potential impact includes unauthorized command execution, manipulation of AI agents, and compromise of systems connected through MCP. As AI tools increasingly rely on federated authentication to interact with services, weaknesses in these flows pose systemic risk.

This incident highlights the need to treat all external inputs, including authentication metadata, as untrusted in AI-driven systems.

PointGuard AI Perspective

This vulnerability underscores the importance of securing the connective tissue between AI agents and external services.

PointGuard AI helps organizations monitor AI agent interactions, including authentication flows and server communications, to detect anomalies that may indicate misuse or injection attempts.

By enforcing policy-based controls around what AI agents and MCP clients are permitted to execute, PointGuard AI reduces the likelihood that malformed authentication data can trigger system-level actions.

Through continuous analysis of AI security incidents, PointGuard AI supports proactive defense against emerging risks in agent-based and protocol-driven AI environments.

Source: AI Runtime Defense
Source: AI Supply Chain Security
Source: AI Security Incident Tracker

Incident Scorecard Details

Total AISSI Score: 7.3/10

Criticality = 7.5, Command injection during authentication flows, AISSI weighting: 25%
Propagation = 7.0, Requires interaction with a malicious MCP server, AISSI weighting: 20%
Exploitability = 7.5, Low complexity once server trust is established, AISSI weighting: 15%
Supply Chain = 7.0, Impacts MCP protocol and AI agent ecosystems, AISSI weighting: 15%
Business Impact = 6.5, No confirmed exploitation or breach reported, AISSI weighting: 25%

Sources

• NIST National Vulnerability Database CVE-2025-61591