Critical ReDoS Vulnerability in MCP TypeScript SDK: What AI Developers Need to Know

The Model Context Protocol (MCP) has rapidly become the de-facto standard for connecting AI agents to external tools and data sources. With over 97 million monthly SDK downloads and adoption by major players like OpenAI, Google, and Microsoft, any security vulnerability in the MCP ecosystem demands immediate attention.

A recently disclosed Regular Expression Denial of Service (ReDoS) vulnerability in the MCP TypeScript SDK (CVE-2026-0621) demonstrates the security challenges facing the rapidly evolving AI agent infrastructure.

What is MCP and Why Does This Matter?

The Model Context Protocol, introduced by Anthropic in November 2024, is an open standard that enables AI systems to securely connect with external data sources and tools. Think of it as a universal adapter that allows Claude, ChatGPT, and other AI assistants to interact with your databases, APIs, file systems, and enterprise applications.

In December 2025, Anthropic donated MCP to the Agentic AI Foundation under the Linux Foundation, alongside contributions from OpenAI, Google, Microsoft, AWS, and Cloudflare. This makes MCP not just Anthropic's protocol but an industry standard.

The TypeScript SDK is one of the primary ways developers implement MCP servers and clients. A vulnerability here affects a massive portion of the MCP ecosystem.

The Vulnerability: Catastrophic Backtracking

The vulnerability exists in the UriTemplate class, specifically in how it handles RFC 6570 URI templates with exploded array patterns like {/id*} and {?tags*}.

The Problematic Code

Located in typescript-sdk/src/shared/uriTemplate.ts, the partToRegExp() function generates regular expressions for matching URIs against templates. The problematic pattern:

1([^/]+(?:,[^/]+)*)

This regex contains nested quantifiers — the + inside (?:,[^/]+)*. When the regex engine encounters input that almost matches but ultimately fails, it must backtrack through exponentially many possible combinations.

How ReDoS Works

Regular Expression Denial of Service exploits the backtracking behavior of regex engines. Consider matching the vulnerable pattern against a malicious input like:

1/users/a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,aFAIL/

The regex engine tries every possible way to match:

1. First, it matches everything up to "FAIL"
2. When "FAIL" doesn't match /, it backtracks
3. It tries a shorter match for the first [^/]+
4. Then re-tries the repetition (?:,[^/]+)*
5. This creates exponential combinations

Normal inputs process in under 1 millisecond. Crafted payloads with 30+ repeated comma-separated values take 58+ seconds before crashing the server.

Attack Scenario

Any MCP client can exploit this vulnerability by sending a malicious resource read request:

1// Malicious client request
2const maliciousUri = '/users/' + 'a,'.repeat(50) + 'EXPLOIT/';
3await client.readResource({ uri: maliciousUri });

The MCP server processes this URI against its registered templates:

1const variables = template.resourceTemplate.uriTemplate.match(uri.toString());

The server's event loop blocks while the regex engine catastrophically backtracks. All connected clients lose service. The Node.js process eventually crashes from resource exhaustion.

Impact Assessment

CVSS Score: 8.7 (High)

The vulnerability characteristics make it particularly dangerous:

• No Authentication Required: Any connected MCP client can trigger the attack
• No User Interaction: The attack is entirely automated
• High Availability Impact: Complete denial of service to all clients
• Low Attack Complexity: Trivial payload construction

For organizations running MCP servers in production environments, this vulnerability poses a significant operational risk. A single malicious request can take down an entire AI integration infrastructure.

Affected Versions

All versions of the MCP TypeScript SDK through version 1.25.1 are affected. At the time of writing, no patched version has been released.

Only exploded array patterns are vulnerable. Simple URI variables like {id} or {name} remain unaffected.

Mitigation Strategies

Immediate Actions

1. Input Validation

Add request-level validation before URI template matching:

1function validateUri(uri: string): boolean {
2  // Reject URIs with excessive comma-separated values
3  const segments = uri.split('/');
4  for (const segment of segments) {
5    const commaCount = (segment.match(/,/g) || []).length;
6    if (commaCount > 10) {
7      return false;
8    }
9  }
10  return true;
11}

2. Request Timeouts

Implement aggressive timeouts for URI matching operations:

1const timeout = 100; // ms
2const result = await Promise.race([
3  template.match(uri),
4  new Promise((_, reject) => 
5    setTimeout(() => reject(new Error('URI matching timeout')), timeout)
6  )
7]);

3. Rate Limiting

Limit requests per client to minimize blast radius.

The Fix

The recommended fix changes the regex pattern to exclude commas in the initial character class:

1// Vulnerable
2([^/]+(?:,[^/]+)*)
3
4// Fixed
5([^/,]+(?:,[^/,]+)*)

This small change eliminates the nested quantifier ambiguity by ensuring commas only appear between segments, not within them.

Broader Implications for AI Security

This vulnerability highlights several concerning trends in the AI tooling ecosystem:

1. Rapid Adoption Outpaces Security Review

MCP went from experimental protocol to industry standard in under 12 months. With 97 million monthly downloads and thousands of community servers, security issues have massive blast radius.

2. Supply Chain Risk

Every MCP server using the TypeScript SDK inherits this vulnerability. Organizations may not even realize they're exposed if they're using third-party MCP servers.

3. Authentication Gaps

Earlier research found that most internet-exposed MCP servers lack any form of authentication. Combined with this DoS vulnerability, the attack surface is considerable.

4. Agent Security is Infrastructure Security

As AI agents increasingly handle critical business operations, vulnerabilities in agent infrastructure become critical infrastructure vulnerabilities.

Responsible Disclosure Timeline

• September 24, 2025: Vulnerability reported by security researcher "weblover12"
• October 2025: Issue confirmed reproducible, labeled P0 (critical)
• December 2025: CVE-2026-0621 assigned with CVSS 8.7
• January 2026: No patch released as of version 1.25.1

Recommendations

For MCP Server Operators:

1. Implement input validation immediately
2. Add request timeouts for URI operations
3. Monitor for unusual request patterns
4. Prepare rollback plans if attacks occur

For MCP SDK Developers:

1. Watch GitHub Issue #965 for updates
2. Consider patching locally until an official fix releases
3. Test your URI templates for ReDoS susceptibility

For Organizations Evaluating MCP:

1. Include security assessment in your evaluation criteria
2. Prefer authenticated MCP deployments
3. Network-isolate MCP servers from untrusted clients

Conclusion

The MCP TypeScript SDK ReDoS vulnerability is a stark reminder that the AI agent ecosystem is still maturing. As these protocols become critical infrastructure, the security bar must rise accordingly.

The good news: the fix is straightforward and the community is engaged. The concerning news: a critical vulnerability in a protocol used by millions remains unpatched months after disclosure.

For now, implement the mitigations above and stay vigilant. The age of AI agents is here — and so are the security challenges that come with it.