CVE 8.7 HIGH

MCP TypeScript SDK UriTemplate Exploded Array Pattern ReDoS_CVE-2026-0621

January 5, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

AI Analysis

Regular expression denial of service (ReDoS) vulnerability in the UriTemplate class

Basic Information

ID CVE-2026-0621

Source VulnCheck

Published Jan 5, 2026 at 20:57

Affected Product

Vendor Anthropic

Product MCP TypeScript SDK

Affected Versions Anthropic MCP TypeScript SDK 0

CWE Classification

CWE-1333

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Anthropic

Product MCP TypeScript SDK

Version up to 1.25.1

References

{
    "lastseen": "",
    "description": "Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.",
    "published": "2026-01-05T20:57:14.515Z",
    "modified": "2026-01-05T20:57:14.515Z",
    "type": "cve",
    "title": "MCP TypeScript SDK UriTemplate Exploded Array Pattern ReDoS",
    "source": "VulnCheck",
    "references": "https://github.com/modelcontextprotocol/typescript-sdk/issues/965\nhttps://www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-array-pattern-redos",
    "id": "CVE-2026-0621",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1333"
    ],
    "cvelist": null,
    "sourceData": "Anthropic MCP TypeScript SDK 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MCP TypeScript SDK",
    "version": "0",
    "vendor": "Anthropic",
    "ai_description": "Regular expression denial of service (ReDoS) vulnerability in the UriTemplate class",
    "ai_severity": "High",
    "ai_vendor": "Anthropic",
    "ai_product": "MCP TypeScript SDK",
    "ai_version": "up to 1.25.1",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply