Vulnerabilities > Cloudflare

DATE CVE VULNERABILITY TITLE RISK
2025-05-01 CVE-2025-4143 Open Redirect vulnerability in Cloudflare Workers-Oauth-Provider 0.0.5
The OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp , did not correctly validate that redirect_uri was on the allowed list of redirect URIs for the given client registration. Fixed in:  https://github.com/cloudflare/workers-oauth-provider/pull/26 https://github.com/cloudflare/workers-oauth-provider/pull/26 Impact: Under certain circumstances (see below), if a victim had previously authorized with a server built on workers-oath-provider, and an attacker could later trick the victim into visiting a malicious web site, then attacker could potentially steal the victim's credentials to the same OAuth server and subsequently impersonate them. In order for the attack to be possible, the OAuth server's authorized callback must be designed to auto-approve authorizations that appear to come from an OAuth client that the victim has authorized previously.
network
low complexity
cloudflare CWE-601
6.1
2025-05-01 CVE-2025-4144 Unspecified vulnerability in Cloudflare Workers-Oauth-Provider 0.0.5
PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp .
network
low complexity
cloudflare
critical
9.8
2024-01-29 CVE-2024-0212 Unspecified vulnerability in Cloudflare
The Cloudflare Wordpress plugin was found to be vulnerable to improper authentication.
network
low complexity
cloudflare
6.5
2024-01-04 CVE-2023-6992 Out-of-bounds Write vulnerability in Cloudflare Zlib
Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c).
local
low complexity
cloudflare CWE-787
5.5
2023-12-29 CVE-2023-7078 Server-Side Request Forgery (SSRF) vulnerability in Cloudflare Miniflare 3.20230821.0
Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server.
low complexity
cloudflare CWE-918
8.1
2023-12-29 CVE-2023-7079 Improper Authentication vulnerability in Cloudflare Wrangler
Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer being accessible over the local network.
low complexity
cloudflare CWE-287
5.7
2023-12-29 CVE-2023-7080 Unspecified vulnerability in Cloudflare Wrangler
The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging.
low complexity
cloudflare
8.0
2023-12-12 CVE-2023-6193 Resource Exhaustion vulnerability in Cloudflare Quiche
quiche v.
network
low complexity
cloudflare CWE-400
5.3
2023-12-05 CVE-2023-6180 Memory Leak vulnerability in Cloudflare Boring 4.0.0
The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion.
network
low complexity
cloudflare CWE-401
5.3
2023-09-07 CVE-2023-3747 Reliance on Cookies without Validation and Integrity Checking vulnerability in Cloudflare Warp 6.29
Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices.
local
low complexity
cloudflare CWE-565
5.5