CVE-2026-0621 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any MCP-based AI agent infrastructure running the TypeScript SDK ≤1.25.1 is exposed to a zero-authentication denial of service: one malicious URI can peg your Node.js process at 100% CPU indefinitely. If your teams use MCP to connect AI agents to tools or APIs, treat this as urgent—audit your MCP server deployments today and update or apply input validation as a workaround until a patched release is confirmed. The combination of no privileges required, network-accessible attack surface, and the explosive adoption of MCP in enterprise AI stacks makes this operationally high-risk despite the absence of data exposure.

Risk Assessment

High. CVSS 7.5 accurately reflects the network-exploitable, no-auth, availability-only impact. The real-world risk is amplified by MCP's rapid enterprise adoption: organizations standing up MCP servers to power agent frameworks frequently expose them to semi-trusted or untrusted inputs from external data sources, user queries, and orchestration pipelines. Exploitation requires no AI/ML knowledge—just a crafted URI string. The absence of CISA KEV listing and an EPSS score suggests limited current in-the-wild exploitation, but the PoC is publicly referenced on GitHub, lowering the bar significantly. Organizations running MCP servers as part of customer-facing AI products face the highest exposure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mcp_typescript_sdk	—	—	No patch

Do you use mcp_typescript_sdk? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

6 steps

PATCH

Upgrade MCP TypeScript SDK beyond 1.25.1 as soon as a patched release is available; monitor the GitHub advisory and releases page.
WORKAROUND

Until a patch is confirmed, implement strict allowlist validation of URI inputs before they reach the UriTemplate parser—reject inputs containing deeply nested or unusual exploded array patterns (e.g., {+list*} with excessive repetition).
PROCESS ISOLATION

Run MCP servers with process-level CPU limits (Node.js --max-old-space-size, OS cgroups, or container CPU limits) to bound blast radius and enable faster detection via alerting.
RATE LIMITING

Apply per-client rate limiting at the MCP endpoint to slow down volumetric exploitation attempts.
DETECTION

Alert on Node.js process CPU utilization exceeding 80% for more than 30 seconds in MCP server containers; correlate with unusual URI patterns in access logs.
NETWORK

If MCP servers do not need to be internet-facing, restrict access to internal networks or VPN.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework API Agent AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

8.4 - AI System Operation and Monitoring A.6.2.5 - AI system availability and resilience

NIST AI RMF

GOVERN-6.2 - Policies and procedures are in place to address AI risk and compliance requirements MANAGE-2.2 - Risk Treatment and Response MANAGE-2.4 - Risks or related impacts from third-party entities are regularly monitored and updates or patches are applied in a timely manner

OWASP LLM Top 10

LLM04 - Model Denial of Service LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-0621?

Any MCP-based AI agent infrastructure running the TypeScript SDK ≤1.25.1 is exposed to a zero-authentication denial of service: one malicious URI can peg your Node.js process at 100% CPU indefinitely. If your teams use MCP to connect AI agents to tools or APIs, treat this as urgent—audit your MCP server deployments today and update or apply input validation as a workaround until a patched release is confirmed. The combination of no privileges required, network-accessible attack surface, and the explosive adoption of MCP in enterprise AI stacks makes this operationally high-risk despite the absence of data exposure.

Is CVE-2026-0621 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-0621, increasing the risk of exploitation.

How to fix CVE-2026-0621?

1. PATCH: Upgrade MCP TypeScript SDK beyond 1.25.1 as soon as a patched release is available; monitor the GitHub advisory and releases page. 2. WORKAROUND: Until a patch is confirmed, implement strict allowlist validation of URI inputs before they reach the UriTemplate parser—reject inputs containing deeply nested or unusual exploded array patterns (e.g., {+list*} with excessive repetition). 3. PROCESS ISOLATION: Run MCP servers with process-level CPU limits (Node.js --max-old-space-size, OS cgroups, or container CPU limits) to bound blast radius and enable faster detection via alerting. 4. RATE LIMITING: Apply per-client rate limiting at the MCP endpoint to slow down volumetric exploitation attempts. 5. DETECTION: Alert on Node.js process CPU utilization exceeding 80% for more than 30 seconds in MCP server containers; correlate with unusual URI patterns in access logs. 6. NETWORK: If MCP servers do not need to be internet-facing, restrict access to internal networks or VPN.

What systems are affected by CVE-2026-0621?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, model serving, API gateways.

What is the CVSS score for CVE-2026-0621?

CVE-2026-0621 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

Exploitation Scenario

An attacker identifies an internet-facing MCP server powering an AI agent deployment (e.g., a company's internal AI assistant with tool-use capabilities). The attacker sends a single HTTP request containing a crafted URI matching an RFC 6570 exploded array pattern—such as a deeply nested structure like %7B+list*%7D with a payload designed to trigger catastrophic backtracking in the dynamically generated regex. The Node.js event loop saturates at 100% CPU, blocking all subsequent requests. The AI agent becomes unresponsive for all users. The attacker may repeat this with minimal infrastructure (single HTTP request) to maintain the DoS state, effectively disrupting business operations that depend on AI-assisted workflows. No authentication, credentials, or AI/ML knowledge is required.