OAuth Dynamic Client Registration Permissive Metadata Field

low Web App Scanning Plugin ID 114920

Language:

Synopsis

OAuth Dynamic Client Registration Permissive Metadata Field

Description

OAuth Dynamic Client Registration allows for various metadata fields such as 'client_name', 'website_uri' during the registration process. When the OAuth server accepts permissive values for such fields, such as ones starting with javascript://, an attacker could exploit this to perform Cross-Site Scripting (XSS) attacks. OAuth Dynamic Client Registration is very common in the context of Model Context Protocol (MCP) servers, allowing attackers to target AI developers

Solution

Enforce strict validation on URLs to ensure they are only using https:// scheme.

See Also

https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html

Plugin Details

Severity: Low

ID: 114920

Type: remote

Family: Web Applications

Published: 7/18/2025

Updated: 7/18/2025

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.0

CVSS v2

Risk Factor: Medium

Base Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 4.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Low

Base Score: 2.1

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 20

OWASP: 2010-A4, 2013-A4, 2017-A5, 2021-A3

WASC: Improper Input Handling

CAPEC: 10, 101, 104, 108, 109, 110, 120, 13, 135, 136, 14, 153, 182, 209, 22, 23, 230, 231, 24, 250, 261, 267, 28, 3, 31, 42, 43, 45, 46, 47, 473, 52, 53, 588, 63, 64, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9

DISA STIG: APSC-DV-002560

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-5.1.3

PCI-DSS: 3.2-6.5