Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.
oryginał ENCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XLfprojects Mcp Typescript Sdk
APPLfprojects≤ 1.25.1
Powiązane podatności
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version...
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.2...
MLflow: nieautoryzowany dostęp do endpointów multipart upload (RCE)
MLflow: nieprawidłowa walidacja origin umożliwia RCE przez cross-origin request
Brak uwierzytelnienia w endpointach FastAPI jobs w MLflow (Auth Bypass / RCE)