CVE-2026-0621

MCP TypeScript SDK UriTemplate Exploded Array Pattern ReDoS

CVSS 8.7 HIGHEPSS 0.4%CWE-1333

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.7EPSS 0.4%KEV nãoPoC —Patch —

Ciclo de vida

05 jan 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Produtos afetados

Anthropic · MCP TypeScript SDK

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/modelcontextprotocol/typescript-sdk/issues/965 https://www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-array-pattern-redos