CVE-2025-53366
HIGHmcp < 1.9.4 - Denial of Service via Malformed Request Validation Error
Title source: llmDescription
The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.9.4, a validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 errors) until manually restarted. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.9.4 contains a patch for the issue.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-3qhf-m339-9g5v
Issue Tracking x_refsource_misc
https://github.com/modelcontextprotocol/python-sdk/pull/822
Scores
CVSS v4
8.7
EPSS
0.0569
EPSS Percentile
92.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-248
Status
published
Products (2)
modelcontextprotocol/python-sdk
< 1.9.4
pypi/mcp
0 - 1.9.4PyPI
Published
Jul 04, 2025
Tracked Since
Feb 18, 2026