CVE-2026-0621 HIGH

CVE-2026-0621: MCP TypeScript SDK UriTemplate Exploded Array Pattern ReDoS

Vendor Anthropic
Product MCP TypeScript SDK
Weakness CWE-1333
Published January 5, 2026
Last update March 5, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

Key dates

02Disclosure timeline

January 5, 2026 CVE published
March 5, 2026 Record updated