Description
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.
Scores
CVSS v3
7.1
EPSS
0.0002
EPSS Percentile
3.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-362
Status
published
Products (3)
lfprojects/mcp_typescript_sdk
1.10.0 - 1.26.0
modelcontextprotocol/sdk
1.10.0 - 1.26.0npm
modelcontextprotocol/typescript-sdk
>= 1.10.0, < 1.26.0
Published
Feb 04, 2026
Tracked Since
Feb 18, 2026