CVE-2026-0621 | THREATINT

Description

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

PUBLISHED Reserved 2026-01-05 | Published 2026-01-05 | Updated 2026-01-05 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-1333 Inefficient Regular Expression Complexity

Product status

Default status

unaffected

Any version

affected

Credits

Weblover finder

References

github.com/modelcontextprotocol/typescript-sdk/issues/965 exploit

github.com/modelcontextprotocol/typescript-sdk/issues/965 issue-tracking

www.vulncheck.com/...ritemplate-exploded-array-pattern-redos third-party-advisory

cve.org (CVE-2026-0621)

nvd.nist.gov (CVE-2026-0621)

Download JSON