CVE-2026-0621

HIGH

Lfprojects Mcp Typescript SDK < 1.25.1 - Denial of Service

Title source: rule

Description

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

References (2)

[Exploit, Issue Tracking] https://github.com/modelcontextprotocol/typescript-sdk/issues/965

[Third Party Advisory] https://www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-array-pattern-redos

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 6.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1333

Status published

Products (2)

lfprojects/mcp_typescript_sdk < 1.25.1

modelcontextprotocol/sdk 0 - 1.25.2npm

Published Jan 05, 2026

Tracked Since Feb 18, 2026