Login Sign Up

CVE-2026-0621

7.5 HIGH

📋 TL;DR

This CVE describes a regular expression denial of service (ReDoS) vulnerability in Anthropic's MCP TypeScript SDK. Attackers can exploit this by sending specially crafted URIs that cause catastrophic backtracking in the UriTemplate class, leading to excessive CPU consumption and denial of service. Any application using vulnerable versions of the MCP TypeScript SDK is affected.

💻 Affected Systems

Products:
  • Anthropic MCP TypeScript SDK
Versions: Versions up to and including 1.25.1
Operating Systems: Any OS running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using the UriTemplate class with RFC 6570 exploded array patterns.

📦 What is this software?

Mcp Typescript Sdk by Lfprojects

View all CVEs affecting Mcp Typescript Sdk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service where the Node.js process becomes unresponsive, requiring process restart and potentially affecting availability of dependent services.

🟠

Likely Case

Degraded performance or temporary unresponsiveness of the affected service until the malicious request processing completes or times out.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and monitoring in place to detect and block malicious patterns.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted URIs to endpoints using vulnerable UriTemplate patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.25.2 or later

Vendor Advisory: https://github.com/modelcontextprotocol/typescript-sdk/issues/965

Restart Required: Yes

Instructions:

1. Update package.json to use @modelcontextprotocol/sdk version 1.25.2 or later. 2. Run npm update @modelcontextprotocol/sdk. 3. Restart the Node.js application.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject URIs with suspicious patterns before they reach the UriTemplate parser.

Request Timeout Configuration

all

Configure request timeouts to limit how long URI processing can take, preventing prolonged denial of service.

🧯 If You Can't Patch

  • Implement rate limiting to restrict the number of requests from single sources
  • Deploy WAF rules to detect and block URI patterns that trigger ReDoS

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for @modelcontextprotocol/sdk version <=1.25.1

Check Version:

npm list @modelcontextprotocol/sdk

Verify Fix Applied:

Verify @modelcontextprotocol/sdk version is 1.25.2 or higher in package.json after update

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes
  • Request timeouts on URI processing endpoints
  • Unusually long processing times for specific URI patterns

Network Indicators:

  • Repeated requests with complex URI patterns from single sources
  • Spikes in request volume to specific endpoints

SIEM Query:

source="application.logs" AND (message="CPU spike" OR message="request timeout") AND uri="*{*"

📊 Metadata

CVE ID: CVE-2026-0621
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
EPSS Score: 0.02% exploit probability (3.2th percentile)
Published: January 5, 2026
Last Updated: January 30, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0621, you might also want to check these:

CVE-2023-29487 9.1

This CVE describes a denial-of-service vulnerability in Heimdal Thor agent's Threat To Process Corre...

Same vulnerability type (CWE-1333)
CVE-2025-62484 8.1

A regular expression complexity vulnerability in Zoom Workplace Clients allows unauthenticated attac...

Same vulnerability type (CWE-1333)
CVE-2024-4148 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allo...

Same vulnerability type (CWE-1333)