CVE-2026-0621

UNKNOWN 0.0

MCP TypeScript SDK UriTemplate Exploded Array Pattern ReDoS

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

CWE	CWE-1333
Vendor	anthropic
Product	mcp typescript sdk
Published	Jan 5, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for anthropic mcp typescript sdk

Be the first to know when new unknown vulnerabilities affecting anthropic mcp typescript sdk are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Anthropic / MCP TypeScript SDK

0 ≤ 1.25.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/modelcontextprotocol/typescript-sdk/issues/965 vulncheck.com: https://www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-array-pattern-redos

Credits

Weblover