+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2025-09-30 (/Thread-HackerOne-Disclosed-Reports-2025-09-30)
HackerOne disclosed reports - 2025-09-30 - hashXploiter - 10-01-2025
Medium
resolved
resolved
`use-mcp`'s oauth2 process uses a window.open call with untrusted mcp server provided data allowing for code execution under the page using it
Bug reported by Raymond was disclosed at September 30, 2025, 8:15 am | Cross-site Scripting (XSS) - Generic
The `authorizeEndpoint` parameter from `use-mcp` version was susceptible to XSS. Sanitization of that parameter was added in version 0.0.10 of use-mcp. A skilled attacker was able to turn this XSS into code execution on the client.