Skip to content

fix(deps): bump @modelcontextprotocol/sdk to 1.25.2 (CVE-2026-0621 ReDoS)#140

Merged
gaojude merged 1 commit into
mainfrom
fix/mcp-sdk-redos-cve-2026-0621
Jun 1, 2026
Merged

fix(deps): bump @modelcontextprotocol/sdk to 1.25.2 (CVE-2026-0621 ReDoS)#140
gaojude merged 1 commit into
mainfrom
fix/mcp-sdk-redos-cve-2026-0621

Conversation

@gaojude

@gaojude gaojude commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

What

Bump @modelcontextprotocol/sdk from 1.24.31.25.2.

Why

@modelcontextprotocol/sdk < 1.25.2 contains a ReDoS vulnerability (CVE-2026-0621) in the UriTemplate class: partToRegExp() generates a regex with nested quantifiers (([^/]+(?:,[^/]+)*)) for exploded template variables (e.g. {/id*}, {?tags*}), causing catastrophic backtracking on crafted resources/read URIs. Patched upstream in v1.25.2 (fix PR).

This is the minimal surgical bump to the named patched version (latest is 1.29.0 if maintainers prefer to jump further).

Verification

  • pnpm typecheck
  • pnpm build
  • pnpm test ✅ (38/38 unit tests)

Closes #124
Closes #114

@gaojude
fix(deps): bump @modelcontextprotocol/sdk to 1.25.2 (CVE-2026-0621 Re…
0111fe8 
…DoS)

@modelcontextprotocol/sdk < 1.25.2 contains a ReDoS vulnerability in the
UriTemplate class (partToRegExp generates nested quantifiers that can cause
catastrophic backtracking on crafted resources/read URIs). Bump to the
patched 1.25.2.

Fixes #124
Fixes #114
@socket-security

socket-security Bot commented Jun 1, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​modelcontextprotocol/​sdk@​1.25.2998510092100

View full report

@socket-security

socket-security Bot commented Jun 1, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
High CVE: npm @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse

CVE: GHSA-345p-7cg4-v4c7 @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse (HIGH)

Affected versions: >= 1.10.0 < 1.26.0

Patched version: 1.26.0

From: package.jsonnpm/@modelcontextprotocol/sdk@1.25.2

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@modelcontextprotocol/sdk@1.25.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@gaojude gaojude enabled auto-merge (squash) June 1, 2026 03:31
@gaojude gaojude merged commit 3f9f406 into main Jun 1, 2026
4 checks passed
@gaojude gaojude deleted the fix/mcp-sdk-redos-cve-2026-0621 branch June 1, 2026 03:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@feedthejim feedthejim feedthejim approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dependency security risk - Anthropic's MCP TypeScript SDK has a ReDoS vulnerability CVE-2026-0621

2 participants

@gaojude @feedthejim