NVD — MCP TypeScript SDK UriTemplate ReDoS (CVE-2026-0621)

2026-01-30 • Category: AI CVEs

AI relevance: if you run MCP servers to expose tools/resources to LLM agents, a single crafted resources/read request can hang the server process and take your agent tooling offline.

• What happened: CVE-2026-0621 is a regular expression DoS (ReDoS) in Anthropic’s MCP TypeScript SDK (@modelcontextprotocol/sdk).
• Where it lives: the issue is in the UriTemplate implementation used to match RFC 6570 URI templates in server-side request handling.
• Trigger condition: servers that register resource templates using exploded array patterns (e.g. {/id*}, {?tags*}) are the risky cases.
• Attack shape: send a specially crafted URI that causes catastrophic backtracking (nested quantifiers) → the Node.js process pegs CPU and becomes unresponsive.
• Why it’s easy to miss: it’s “just parsing,” but it runs inside the control-plane that brokers agent access to resources — which often sits on the same hosts as secrets and other MCP servers.
• Patch: the upstream repo released v1.25.2 with a fix that tightens the regex for exploded patterns and adds regression tests referencing CVE-2026-0621.

Why it matters

• Availability is a security boundary: when MCP resource servers hang, agents either fail open (fallback paths) or push humans into “quick fixes” that widen access.
• Multi-tenant / shared tooling risk: if multiple agents/teams share an MCP server, one abusive client can degrade everyone’s workflows.
• Agent ops blast radius: even “non-RCE” issues can be serious in agent stacks because outages can break guardrails, monitoring, or approval gates.

What to do

1. Update: bump @modelcontextprotocol/sdk to v1.25.2+ (or the fixed line you track internally) and redeploy MCP servers.
2. Inventory templates: search your MCP servers for ResourceTemplate/UriTemplate usage and note any * exploded patterns.
3. Rate-limit & timebox: put request limits in front of MCP HTTP transports (and consider per-request CPU timeouts / worker isolation where feasible).
4. Threat-model clients: treat MCP clients as potentially untrusted; do not assume “it’s only my desktop app” if you run shared servers.

Sources

• NVD: CVE-2026-0621
• Upstream issue: modelcontextprotocol/typescript-sdk#965
• Fix release notes: typescript-sdk v1.25.2
• Fix commit: b392f02 (ReDoS backport)
• GitLab advisory (aggregated): CVE-2026-0621 (GitLab)