Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.
References
| Link | Resource |
|---|---|
| https://github.com/modelcontextprotocol/typescript-sdk/issues/965 | Exploit Issue Tracking |
| https://www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-array-pattern-redos | Third Party Advisory |
| https://github.com/modelcontextprotocol/typescript-sdk/issues/965 | Exploit Issue Tracking |
Configurations
History
30 Jan 2026, 01:16
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:lfprojects:mcp_typescript_sdk:*:*:*:*:*:*:*:* | |
| First Time |
Lfprojects mcp Typescript Sdk
Lfprojects |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| References | () https://github.com/modelcontextprotocol/typescript-sdk/issues/965 - Exploit, Issue Tracking | |
| References | () https://www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-array-pattern-redos - Third Party Advisory |
05 Jan 2026, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/modelcontextprotocol/typescript-sdk/issues/965 - |
05 Jan 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-05 21:16
Updated : 2026-01-30 01:16
NVD link : CVE-2026-0621
Mitre link : CVE-2026-0621
CVE.ORG link : CVE-2026-0621
JSON object : View
Products Affected
lfprojects
- mcp_typescript_sdk
CWE
CWE-1333
Inefficient Regular Expression Complexity