AI Threat Alert
CVE-2026-0621
HIGHAny MCP-based AI agent infrastructure running the TypeScript SDK ≤1.25.1 is exposed to a zero-authentication denial of service: one malicious URI can peg your Node.js process at 100% CPU indefinitely. If your teams use MCP to connect AI agents to tools or APIs, treat this as urgent—audit your MCP server deployments today and update or apply input validation as a workaround until a patched release is confirmed. The combination of no privileges required, network-accessible attack surface, and the explosive adoption of MCP in enterprise AI stacks makes this operationally high-risk despite the absence of data exposure.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| mcp_typescript_sdk | — | — | No patch |
Do you use mcp_typescript_sdk? You're affected.
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade MCP TypeScript SDK beyond 1.25.1 as soon as a patched release is available; monitor the GitHub advisory and releases page. 2. WORKAROUND: Until a patch is confirmed, implement strict allowlist validation of URI inputs before they reach the UriTemplate parser—reject inputs containing deeply nested or unusual exploded array patterns (e.g., {+list*} with excessive repetition). 3. PROCESS ISOLATION: Run MCP servers with process-level CPU limits (Node.js --max-old-space-size, OS cgroups, or container CPU limits) to bound blast radius and enable faster detection via alerting. 4. RATE LIMITING: Apply per-client rate limiting at the MCP endpoint to slow down volumetric exploitation attempts. 5. DETECTION: Alert on Node.js process CPU utilization exceeding 80% for more than 30 seconds in MCP server containers; correlate with unusual URI patterns in access logs. 6. NETWORK: If MCP servers do not need to be internet-facing, restrict access to internal networks or VPN.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.
Exploitation Scenario
An attacker identifies an internet-facing MCP server powering an AI agent deployment (e.g., a company's internal AI assistant with tool-use capabilities). The attacker sends a single HTTP request containing a crafted URI matching an RFC 6570 exploded array pattern—such as a deeply nested structure like %7B+list*%7D with a payload designed to trigger catastrophic backtracking in the dynamically generated regex. The Node.js event loop saturates at 100% CPU, blocking all subsequent requests. The AI agent becomes unresponsive for all users. The attacker may repeat this with minimal infrastructure (single HTTP request) to maintain the DoS state, effectively disrupting business operations that depend on AI-assisted workflows. No authentication, credentials, or AI/ML knowledge is required.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H