rmcp is vulnerable to Origin Validation Error
82
High Risk
The rmcp OAuth client discovers OAuth Protected Resource metadata (RFC 9728) in crates/rmcp/src/transport/auth.rs but does not validate the resource field against the MCP server it is connecting to. A malicious MCP server can return metadata whose resource points at a legitimate server, causing the client to start an OAuth flow with the legitimate authorization server and then send the resulting access token back to the attacker. This enables access token theft and full impersonation of the victim on the legitimate server. The fix adds the resource field to the metadata struct and rejects metadata whose resource does not match the configured server origin.
You are affected if you are using a version that falls within the vulnerable range and your application uses the rmcp OAuth client to authenticate to MCP servers.
rmcp is vulnerable to Origin Validation Error in versions 0.8.2 - 1.8.0.
Upgrade the rmcp library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant