HIGH🇬🇧 English

CVE-2026-0621

CVSS 8.7v4.0pub. 2026-01-05upd. 2026-01-30

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Lfprojects Mcp Typescript Sdk

    APP
    Lfprojects
    ≤ 1.25.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
DoS
CWE
Referencje

Powiązane podatności

CVE-2026-25536HIGH7.1ten sam produkt

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version...

CVE-2025-66414HIGH7.6ten sam produkt

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.2...

CVE-2026-2651CRITICAL9.0PL ✓ten sam vendor

MLflow: nieautoryzowany dostęp do endpointów multipart upload (RCE)

CVE-2026-2611CRITICAL9.6PL ✓ten sam vendor

MLflow: nieprawidłowa walidacja origin umożliwia RCE przez cross-origin request

CVE-2026-0545CRITICAL9.8PL ✓ten sam vendor

Brak uwierzytelnienia w endpointach FastAPI jobs w MLflow (Auth Bypass / RCE)