High severityOSV Advisory· Published Jan 5, 2026· Updated Mar 5, 2026
MCP TypeScript SDK UriTemplate Exploded Array Pattern ReDoS
CVE-2026-0621
Description
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@modelcontextprotocol/sdknpm | < 1.25.2 | 1.25.2 |
Affected products
62- Range: 0.1.0, 0.15.1, 0.2.0, …
- osv-coords61 versionspkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/langfuse-3pkg:apk/chainguard/langfuse-3-compatpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3pkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/librechat-compatpkg:apk/chainguard/librechat-devpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-configpkg:apk/chainguard/opensearch-dashboards-2-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-2-fips-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-configpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fips-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-fips-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/wolfi/langfuse-3pkg:apk/wolfi/langfuse-3-compatpkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-configpkg:apk/wolfi/opensearch-dashboards-2-dashboards-mapspkg:apk/wolfi/opensearch-dashboards-2-dashboards-notificationspkg:apk/wolfi/opensearch-dashboards-2-dashboards-observabilitypkg:apk/wolfi/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/wolfi/opensearch-dashboards-2-dashboards-reportingpkg:apk/wolfi/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/wolfi/opensearch-dashboards-2-dashboards-visualizationspkg:apk/wolfi/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/wolfi/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-security-dashboards-pluginpkg:npm/%40modelcontextprotocol/sdk
< 9.1.9-r2+ 60 more
- (no CPE)range: < 9.1.9-r2
- (no CPE)range: < 9.1.9-r2
- (no CPE)range: < 9.2.3-r2
- (no CPE)range: < 9.2.3-r2
- (no CPE)range: < 3.145.0-r0
- (no CPE)range: < 3.144.0-r0
- (no CPE)range: < 3.145.0-r0
- (no CPE)range: < 3.145.0-r0
- (no CPE)range: < 3.145.0-r0
- (no CPE)range: < 0.8.1-r4
- (no CPE)range: < 0.8.1-r2
- (no CPE)range: < 0.8.1-r2
- (no CPE)range: < 2.19.4-r5
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r5
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r5
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r5
- (no CPE)range: < 3.145.0-r0
- (no CPE)range: < 3.144.0-r0
- (no CPE)range: < 3.145.0-r0
- (no CPE)range: < 2.19.4-r5
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r5
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r4
- (no CPE)range: < 2.19.4-r5
- (no CPE)range: < 1.25.2
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-8r9q-7v3j-jr4gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-0621ghsaADVISORY
- www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-array-pattern-redosghsathird-party-advisoryWEB
- github.com/modelcontextprotocol/typescript-sdk/commit/b392f02ffcf37c088dbd114fedf25026ec3913d3ghsaWEB
- github.com/modelcontextprotocol/typescript-sdk/issues/965ghsaissue-trackingWEB
- github.com/modelcontextprotocol/typescript-sdk/releases/tag/v1.25.2ghsaWEB
- github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-cqwc-fm46-7fffghsaWEB
News mentions
0No linked articles in our index yet.