CVE-2026-0621

216.73.217.22

· Published 05/01/2026 21:16 · Modified 05/01/2026 22:15

Labels: CVE-2026-0621 2026-01-05 CVE-2026-0621 CWE-1333 [email protected]

Essential information

Published: 05/01/2026 21:16
Modified: 05/01/2026 22:15
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
anthropic / mcp typescript sdk	`cpe:2.3:a:anthropic:mcp_typescript_sdk::::::::`