cvedb.io
CVE-2026-0621
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-01-05T21:16:14.533 · Last modified 2026-06-17T10:11:05.937

Summary

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

Affected products

lfprojects — mcp_typescript_sdk

Does this affect you?

Add your gear to cvedb and we'll alert you only when lfprojects ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.