AI Threat Alert

CVE-2026-0621: mcp_typescript_sdk: security flaw enables exploitation

HIGH PoC AVAILABLE CISA: TRACK*
Published January 5, 2026
CISO Take

Any MCP-based AI agent infrastructure running the TypeScript SDK ≤1.25.1 is exposed to a zero-authentication denial of service: one malicious URI can peg your Node.js process at 100% CPU indefinitely. If your teams use MCP to connect AI agents to tools or APIs, treat this as urgent—audit your MCP server deployments today and update or apply input validation as a workaround until a patched release is confirmed. The combination of no privileges required, network-accessible attack surface, and the explosive adoption of MCP in enterprise AI stacks makes this operationally high-risk despite the absence of data exposure.

What is the risk?

High. CVSS 7.5 accurately reflects the network-exploitable, no-auth, availability-only impact. The real-world risk is amplified by MCP's rapid enterprise adoption: organizations standing up MCP servers to power agent frameworks frequently expose them to semi-trusted or untrusted inputs from external data sources, user queries, and orchestration pipelines. Exploitation requires no AI/ML knowledge—just a crafted URI string. The absence of CISA KEV listing and an EPSS score suggests limited current in-the-wild exploitation, but the PoC is publicly referenced on GitHub, lowering the bar significantly. Organizations running MCP servers as part of customer-facing AI products face the highest exposure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
mcp_typescript_sdk No patch

Do you use mcp_typescript_sdk? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 32% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

6 steps

  1. PATCH

    Upgrade MCP TypeScript SDK beyond 1.25.1 as soon as a patched release is available; monitor the GitHub advisory and releases page.

  2. WORKAROUND

    Until a patch is confirmed, implement strict allowlist validation of URI inputs before they reach the UriTemplate parser—reject inputs containing deeply nested or unusual exploded array patterns (e.g., {+list*} with excessive repetition).

  3. PROCESS ISOLATION

    Run MCP servers with process-level CPU limits (Node.js --max-old-space-size, OS cgroups, or container CPU limits) to bound blast radius and enable faster detection via alerting.

  4. RATE LIMITING

    Apply per-client rate limiting at the MCP endpoint to slow down volumetric exploitation attempts.

  5. DETECTION

    Alert on Node.js process CPU utilization exceeding 80% for more than 30 seconds in MCP server containers; correlate with unusual URI patterns in access logs.

  6. NETWORK

    If MCP servers do not need to be internet-facing, restrict access to internal networks or VPN.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework API Agent AML.T0010.001 AML.T0029 AML.T0034 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
8.4 - AI System Operation and Monitoring A.6.2.5 - AI system availability and resilience
NIST AI RMF
GOVERN-6.2 - Policies and procedures are in place to address AI risk and compliance requirements MANAGE-2.2 - Risk Treatment and Response MANAGE-2.4 - Risks or related impacts from third-party entities are regularly monitored and updates or patches are applied in a timely manner
OWASP LLM Top 10
LLM04 - Model Denial of Service LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-0621?

Any MCP-based AI agent infrastructure running the TypeScript SDK ≤1.25.1 is exposed to a zero-authentication denial of service: one malicious URI can peg your Node.js process at 100% CPU indefinitely. If your teams use MCP to connect AI agents to tools or APIs, treat this as urgent—audit your MCP server deployments today and update or apply input validation as a workaround until a patched release is confirmed. The combination of no privileges required, network-accessible attack surface, and the explosive adoption of MCP in enterprise AI stacks makes this operationally high-risk despite the absence of data exposure.

Is CVE-2026-0621 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-0621, increasing the risk of exploitation.

How to fix CVE-2026-0621?

1. PATCH: Upgrade MCP TypeScript SDK beyond 1.25.1 as soon as a patched release is available; monitor the GitHub advisory and releases page. 2. WORKAROUND: Until a patch is confirmed, implement strict allowlist validation of URI inputs before they reach the UriTemplate parser—reject inputs containing deeply nested or unusual exploded array patterns (e.g., {+list*} with excessive repetition). 3. PROCESS ISOLATION: Run MCP servers with process-level CPU limits (Node.js --max-old-space-size, OS cgroups, or container CPU limits) to bound blast radius and enable faster detection via alerting. 4. RATE LIMITING: Apply per-client rate limiting at the MCP endpoint to slow down volumetric exploitation attempts. 5. DETECTION: Alert on Node.js process CPU utilization exceeding 80% for more than 30 seconds in MCP server containers; correlate with unusual URI patterns in access logs. 6. NETWORK: If MCP servers do not need to be internet-facing, restrict access to internal networks or VPN.

What systems are affected by CVE-2026-0621?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, model serving, API gateways.

What is the CVSS score for CVE-2026-0621?

CVE-2026-0621 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.40%.

What is the AI security impact?

Affected AI Architectures

agent frameworksmodel servingAPI gateways

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15, Article 15
ISO 42001: 8.4, A.6.2.5
NIST AI RMF: GOVERN-6.2, MANAGE-2.2, MANAGE-2.4
OWASP LLM Top 10: LLM04, LLM05

What are the technical details?

Original Advisory

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

Exploitation Scenario

An attacker identifies an internet-facing MCP server powering an AI agent deployment (e.g., a company's internal AI assistant with tool-use capabilities). The attacker sends a single HTTP request containing a crafted URI matching an RFC 6570 exploded array pattern—such as a deeply nested structure like %7B+list*%7D with a payload designed to trigger catastrophic backtracking in the dynamically generated regex. The Node.js event loop saturates at 100% CPU, blocking all subsequent requests. The AI agent becomes unresponsive for all users. The attacker may repeat this with minimal infrastructure (single HTTP request) to maintain the DoS state, effectively disrupting business operations that depend on AI-assisted workflows. No authentication, credentials, or AI/ML knowledge is required.

Weaknesses (CWE)

CWE-1333 Inefficient Regular Expression Complexity

CWE-1333 — Inefficient Regular Expression Complexity: The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

  • [Architecture and Design] Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
  • [System Configuration] Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
January 5, 2026
Last Modified
January 30, 2026
First Seen
January 5, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same attack type: DoS
CRITICAL CVE-2023-25668 9.8

TensorFlow: unauthenticated RCE via heap buffer overflow

Same attack type: DoS
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same attack type: DoS
CRITICAL CVE-2022-35939 9.8

TensorFlow: ScatterNd OOB write enables RCE/crash

Same attack type: DoS
CRITICAL CVE-2022-41900 9.8

TensorFlow: heap OOB RCE in FractionalMaxPool op

Same attack type: DoS
Back to Threat Feed