CVE-2026-0621

Name of the Vulnerable Software and Affected Versions Anthropic's MCP TypeScript SDK versions up to and including 1.25.1

Description The software contains a regular expression denial of service (ReDoS) issue within the UriTemplate class when handling RFC 6570 exploded array patterns. The dynamically generated regular expression used for URI matching includes nested quantifiers, which can lead to catastrophic backtracking when processing specifically crafted inputs. This can cause excessive CPU usage, potentially making the Node.js process unresponsive and resulting in a denial of service. An attacker can exploit this by providing a malicious URI.

Recommendations Upgrade to version 1.25.2.