Vulnerability Description
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lfprojects | Mcp Typescript Sdk | <= 1.25.1 |
Related Weaknesses (CWE)
References
- https://github.com/modelcontextprotocol/typescript-sdk/issues/965ExploitIssue Tracking
- https://www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-arrThird Party Advisory
- https://github.com/modelcontextprotocol/typescript-sdk/issues/965ExploitIssue Tracking
FAQ
What is CVE-2026-0621?
CVE-2026-0621 is a vulnerability with a CVSS score of 7.5 (HIGH). Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array...
How severe is CVE-2026-0621?
CVE-2026-0621 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-0621?
Check the references section above for vendor advisories and patch information. Affected products include: Lfprojects Mcp Typescript Sdk.