Executive Summary

CVE-2026-10692 is a Regular Expression Denial of Service (ReDoS) vulnerability in the code-index-mcp server, specifically in the search_code_advanced tool's is_safe_regex_pattern function. The vulnerability arises when an attacker supplies a malicious regex pattern with nested quantifiers that cause the regex engine to perform exponential-time matching, exhausting CPU resources and causing the server to hang indefinitely.

This happens because the is_safe_regex_pattern function only checks for a few specific substrings and fails to detect dangerous patterns like (a+)+$. When no external search tools are available, the server falls back to a basic search strategy using Python's regex module without timeout protection, making it vulnerable to crafted regex patterns that trigger catastrophic backtracking.

The attack can be launched remotely without authentication by manipulating the regex argument, and it blocks all subsequent tool invocations until the server is manually restarted.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a Denial of Service (DoS) condition on the code-index-mcp server by exhausting CPU resources through maliciously crafted regex patterns. This causes the server to hang indefinitely, blocking all further operations until it is manually terminated and restarted.

If you rely on the code-index-mcp tool for code indexing, searching, or analysis, this could disrupt your workflows, delay development processes, and reduce productivity.

The vulnerability requires no authentication and can be exploited remotely, increasing the risk of attack if the system is exposed.

Upgrading to version 2.14.1 mitigates this risk by disabling regex in the basic fallback mode and requiring native search tools for regex functionality.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the system's response to crafted malicious regex patterns that cause catastrophic backtracking and high CPU usage. Specifically, patterns with nested quantifiers like (a+)+$, (.)$, or ([a-z]+)+$ can be used against files containing repeated characters followed by a non-matching terminator (e.g., "aaaaaaaaaaaaaaaaaaaaaaaaab").

A proof-of-concept script exists that times out after 10 seconds when processing such malicious regex against crafted files, indicating the presence of the vulnerability.

Detection involves observing if the server hangs or experiences high CPU usage when processing these regex patterns, especially when no external search tools (ripgrep, ag, grep, ugrep) are installed and the fallback BasicSearchStrategy is used.

Suggested commands or steps include running regex searches with malicious patterns against files with repeated characters to see if the server becomes unresponsive or times out.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the johnhuang316 code-index-mcp server to version 2.14.1 or later, which addresses this vulnerability by changing the default search behavior to literal matching instead of regex and making regex mode opt-in.

In version 2.14.1, regex execution is disabled in the basic fallback mode and requires a native search tool like ag, ripgrep, or ugrep to be installed for regex functionality, preventing exploitation via the vulnerable fallback regex engine.

If upgrading immediately is not possible, ensure that external native search tools are installed and configured properly to avoid using the vulnerable BasicSearchStrategy fallback.

Additionally, restrict or validate user input for regex patterns to prevent attackers from supplying malicious regex.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-10692 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0