software

CVE-2026-0621: Event-Loop Denial of Service in the MCP TypeScript SDK

Published: (January 15, 2026 at 01:34 AM EST)
2 min read
Source: Dev.to

Source: Dev.to

TL;DR

Patch immediately: upgrade to v1.25.2 of @modelcontextprotocol/sdk.

Identifier

CVE-2026-0621 (GHSA-8r9q-7v3j-jr4g)

Severity

8.7 – High

Affected Component

@modelcontextprotocol/sdk

Impact

  • Total Node.js event‑loop blockage (Denial of Service)
  • 100 % CPU saturation on a single thread
  • Complete MCP server outage, causing tool‑call failures and severe SLO violations

Affected / Unaffected Versions

  • Affected: = 1.25.2

Deployments at Risk

Any MCP server (self‑hosted or cloud) that uses the TypeScript SDK.

Exploitation Prerequisites

  • At least one registered resource template using exploded variables (*, RFC 6570)
  • Publicly accessible MCP endpoint (no authentication required)

Technical Details

Root Cause

Catastrophic backtracking in the UriTemplate class, specifically the partToRegExp() function.
When expanding array‑based URI patterns, the SDK generates a regular expression with nested quantifiers (e.g., a repetition inside another repetition). If the input almost matches but fails at the final character, the V8 regex engine explores every possible permutation, leading to exponential time complexity.

Vulnerable Pattern

Exploded variables in resource templates, e.g.:

{/ids*}

Attacker‑Controlled Input

A URI containing a large number of delimiters (commas) followed by a non‑matching character, e.g.:

/resource/1,2,3,4,5,6,7,8,9,10X

Runtime Behavior

  • Each additional comma doubles the number of execution paths (2^n complexity).
  • Node.js’s single‑threaded event loop becomes completely blocked.
  • Health checks fail; the server remains unresponsive until the process is terminated.

Indirect Prompt‑Injection Vector (2026 context)

  1. Attacker embeds a malicious instruction in a document or website.
  2. An LLM consumes the data.
  3. The agent generates the malicious ReDoS URI.
  4. The MCP server executes it, bypassing traditional network‑level defenses.

Fix

  • Version: @modelcontextprotocol/sdk@1.25.2
  • Commit: b392f02 – Regex generation hardening.
  • Change: Negated character sets are made mutually exclusive with delimiters (e.g., [^\ /]+[^\ /,]+), eliminating ambiguous backtracking paths and enforcing linear‑time evaluation.

Compatibility

Backward compatible; no breaking changes.

Upgrade Command

npm update @modelcontextprotocol/sdk

Mitigation & Best Practices

  • Audit Templates: Search for resource templates using the * modifier (e.g., {?list*}).
  • WAF Controls: Rate‑limit MCP endpoints and flag URIs with excessive repeating delimiters.
  • Timeouts: Enforce request/worker timeouts (e.g., abort if execution exceeds 500 ms).
  • Resource Isolation: Run MCP servers with strict CPU quotas to prevent host‑level starvation.
  • Adversarial Testing: Add fuzz testing for URI templates and agent‑generated inputs in CI/CD pipelines.
  • General Guidance:
    • “Availability is Security”: an unavailable system is insecure.
    • Treat LLM‑generated strings with the same skepticism as raw user input.
    • Any component that converts templates into executable logic (regex, ASTs, query planners) is a high‑risk entry point.

References

Back to Blog

Related posts

Read more »

Rapg: TUI-based Secret Manager

We've all been there. You join a new project, and the first thing you hear is: > 'Check the pinned message in Slack for the .env file.' Or you have several .env...

Technology is an Enabler, not a Saviour

Why clarity of thinking matters more than the tools you use Technology is often treated as a magic switch—flip it on, and everything improves. New software, pl...