Reading the necessary RFC is table stakes. Instead we got this:

>"NOOOOOOOO!!!! You can't just use an LLM to write an auth library!"

>"haha gpus go brrr"

(Those lines remain in the readme, even now: https://github.com/cloudflare/workers-oauth-provider?tab=rea...)

To me it's likely, given the extremely rudimentary nature of that issue.

If you're asking in good faith,

> Every line was thoroughly reviewed and cross-referenced with relevant RFCs

The issue in the CVE comes from direct contradiction of the RFC. The RFC says you MUST check redirect uris (and, as anyone who's ever worked with oauth knows, all the functionality around redirect uris is a staple of how oauth works in the first place -- this isn't some obscure edge case). They didn't make a mistake, they simply did not implement this part of the spec.

When they said every line was "thoroughly reviewed" and "cross referenced", yes, they lied.