MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

mcp-framework is a framework for building Model Context Protocol (MCP) servers. In versions 0.2.21 and below, the readRequestBody() function in the HTTP transport concatenates request body chunks into a string with no size limit. Although a maxMessageSize configuration value exists, it is never enforced in readRequestBody(). A remote unauthenticated attacker can crash any mcp-framework HTTP server by sending a single large POST request to /mcp, causing memory exhaustion and denial of service. This issue has been fixed in version 0.2.22.

AI Analysis

Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport

Basic Information

ID CVE-2026-39313

Source GitHub_M

Published Apr 16, 2026 at 21:24

Affected Product

Vendor QuantGeekDev

Product mcp-framework

Version < 0.2.22

Affected Versions QuantGeekDev mcp-framework < 0.2.22

CWE Classification

CWE-770

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor QuantGeekDev

Product mcp-framework

Version 0.2.21 and below

References

{
    "lastseen": "",
    "description": "mcp-framework is a framework for building Model Context Protocol (MCP) servers. In versions 0.2.21 and below, the readRequestBody() function in the HTTP transport concatenates request body chunks into a string with no size limit. Although a maxMessageSize configuration value exists, it is never enforced in readRequestBody(). A remote unauthenticated attacker can crash any mcp-framework HTTP server by sending a single large POST request to /mcp, causing memory exhaustion and denial of service. This issue has been fixed in version 0.2.22.",
    "published": "2026-04-16T21:24:27.328Z",
    "modified": "2026-04-16T21:24:27.328Z",
    "type": "cve",
    "title": "MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport",
    "source": "GitHub_M",
    "references": "https://github.com/QuantGeekDev/mcp-framework/security/advisories/GHSA-353c-v8x9-v7c3\nhttps://github.com/QuantGeekDev/mcp-framework/commit/f97d2bb76d6359faf10cd1fc54b4911476b62524",
    "id": "CVE-2026-39313",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "QuantGeekDev mcp-framework < 0.2.22",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "mcp-framework",
    "version": "< 0.2.22",
    "vendor": "QuantGeekDev",
    "ai_description": "Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport",
    "ai_severity": "High",
    "ai_vendor": "QuantGeekDev",
    "ai_product": "mcp-framework",
    "ai_version": "0.2.21 and below",
    "ai_score": 8.7
}

MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport_CVE-2026-39313