CVE-2026-39313
Description
mcp-framework is a framework for building Model Context Protocol (MCP) servers. In versions 0.2.21 and below, the readRequestBody() function in the HTTP transport concatenates request body chunks into a string with no size limit. Although a maxMessageSize configuration value exists, it is never enforced in readRequestBody(). A remote unauthenticated attacker can crash any mcp-framework HTTP server by sending a single large POST request to /mcp, causing memory exhaustion and denial of service. This issue has been fixed in version 0.2.22.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mcp-frameworknpm | < 0.2.22 | 0.2.22 |
Affected products
1Patches
1f97d2bb76d63fix: enforce maxMessageSize in readRequestBody
1 file changed · +8 −0
src/transports/http/server.ts+8 −0 modified@@ -222,9 +222,17 @@ export class HttpStreamTransport extends AbstractTransport { } private async readRequestBody(req: IncomingMessage): Promise<any> { + const maxSize = this._config.maxMessageSize ?? 4 * 1024 * 1024; return new Promise((resolve, reject) => { let body = ''; + let size = 0; req.on('data', (chunk) => { + size += chunk.length; + if (size > maxSize) { + req.destroy(); + reject(new Error(`Request body exceeds maximum size of ${maxSize} bytes`)); + return; + } body += chunk.toString(); }); req.on('end', () => {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.