CVE-2026-0621

Vulnerability Description

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

Vulnerability Details

Published Date

January 05, 2026

Last Modified

January 08, 2026

CWE ID

CWE-1333

Source

NVD

External References

https://github.com/modelcontextprotocol/typescript-sdk/issues/965
https://www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-array-pattern-redos
https://github.com/modelcontextprotocol/typescript-sdk/issues/965

CVE-2026-0621

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment