CVE-2026-0621— MCP TypeScript SDK UriTemplate Exploded Array Pattern ReDoS
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-0621
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MCP TypeScript SDK UriTemplate Exploded Array Pattern ReDoS
Source: NVD (National Vulnerability Database)
Vulnerability Description
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1333
Source: NVD (National Vulnerability Database)
Vulnerability Title
MCP TypeScript SDK 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MCP TypeScript SDK是Model Context Protocol开源的一个用于模型上下文协议服务器和客户端的开发者工具包。 MCP TypeScript SDK 1.25.1及之前版本存在安全漏洞,该漏洞源于UriTemplate类处理RFC 6570爆炸数组模式时存在正则表达式拒绝服务,可能导致CPU消耗过高和拒绝服务攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Anthropic | MCP TypeScript SDK | 0 ~ 1.25.1 | - |
II. Public POCs for CVE-2026-0621
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-0621
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: Anthropic
- CVE-2026-35022
Anthropic Claude Code & Agent SDK OS Command Injection via A - CVE-2026-35021
Anthropic Claude Code & Agent SDK OS Command Injection via p - CVE-2026-35020
Anthropic Claude Code & Agent SDK OS Command Injection via T - CVE-2026-22561
Claude Code 安全漏洞 - CVE-2025-34072
Anthropic Slack MCP Server Data Exfiltration via Link Unfurl
Same weakness: CWE-1333
- CVE-2026-33079
Mistune ReDoS in LINK_TITLE_RE allows denial of service with - CVE-2026-41040
GROWI 安全漏洞 - CVE-2026-40319
Giskard has a Regular Expression Denial of Service (ReDoS) i - CVE-2026-5986
Zod jsVideoUrlParser util.js getTime redos - CVE-2026-35041
ReDoS in fast-jwt when using RegExp in allowed* leading to C
V. Comments for CVE-2026-0621
No comments yet