Executive Summary

CVE-2026-0621 is a Regular Expression Denial of Service (ReDoS) vulnerability in the MCP TypeScript SDK's UriTemplate class. It occurs when processing exploded array patterns defined by RFC 6570, where a dynamically generated regular expression contains nested quantifiers. This causes catastrophic backtracking on specially crafted inputs, leading to excessive CPU consumption and making the Node.js process unresponsive. Attackers exploit this by sending malicious URIs that trigger the vulnerable regex, causing denial of service. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the affected server to consume 100% CPU, leading to crashes and denial of service. It results in service unavailability affecting all clients relying on the MCP server using exploded URI patterns. The Node.js process becomes unresponsive, severely degrading service availability and operational stability. Attackers need network access and MCP client permissions to exploit this. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage or unresponsive Node.js processes when handling URIs with exploded array patterns. Specifically, look for requests containing comma-separated values in URI segments matching patterns like {/id*} or {?tags*}. To detect exploitation attempts, you can use network monitoring tools or logs to identify suspicious URIs with multiple comma-separated values. Additionally, you can test the vulnerable regex pattern locally by running a script that uses the MCP TypeScript SDK's UriTemplate.match() method with crafted inputs that include repeated comma-separated values to observe if the process hangs or consumes excessive CPU. Example command to test locally (Node.js): ```node -e "const { UriTemplate } = require('mcp-typescript-sdk'); const template = new UriTemplate('/users{/id*}'); console.time('match'); template.match('/users/user1,user2,user3,user4,user5FAIL/'); console.timeEnd('match');"``` If the matching takes an unusually long time or hangs, the vulnerability is present. For network detection, use tools like tcpdump or Wireshark to filter HTTP requests with suspicious URI patterns or use log analysis to find requests with multiple comma-separated values in exploded array pattern segments. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the vulnerable regular expression pattern in the MCP TypeScript SDK's UriTemplate class to a safer version that prevents catastrophic backtracking. Specifically, change the regex from `([^/]+(?:,[^/]+)*)` to `([^/,]+(?:,[^/,]+)*)`, which excludes commas from the character class and prevents nested quantifiers from causing excessive backtracking. Additionally, update the MCP TypeScript SDK to a version that includes this fix or apply a patch to the `typescript-sdk/src/shared/uriTemplate.ts` file to modify the regex pattern accordingly. Until the fix is applied, consider restricting or validating incoming URIs to block or sanitize requests containing suspicious exploded array patterns with multiple comma-separated values. Monitoring and rate limiting requests that match the vulnerable pattern can also help reduce the risk of exploitation. [1]

Useful 0 Not Useful 0