CVE-2026-0621
HIGHMCP TypeScript SDK <= 1.25.1 - Denial of Service via RFC 6570 Exploded Array Pattern ReDoS
Title source: llmDescription
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.
References (2)
Core 2
Core References
Exploit, Issue Tracking issue-tracking
https://github.com/modelcontextprotocol/typescript-sdk/issues/965
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-array-pattern-redos
Scores
CVSS v3
7.5
EPSS
0.0040
EPSS Percentile
31.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1333
Status
published
Products (2)
lfprojects/mcp_typescript_sdk
< 1.25.1
modelcontextprotocol/sdk
0 - 1.25.2npm
Published
Jan 05, 2026
Tracked Since
Feb 18, 2026