CVE-2026-0621: Event-Loop Denial of Service in the MCP TypeScript SDK

TL;DR
A high-severity Regular Expression Denial of Service (ReDoS) vulnerability in the MCP TypeScript SDK allows a single crafted URI to fully block the Node.js event loop, taking down MCP servers. The issue is fixed in v1.25.2 and should be patched immediately.

Summary

• Identifier: CVE-2026-0621 (GHSA-8r9q-7v3j-jr4g)
• Severity: 8.7 (High)
• Affected Component: @modelcontextprotocol/sdk
• Impact: Total Node.js event-loop blockage (Denial of Service)
• Status: Patched in v1.25.2

A specifically crafted URI can trigger an exponential CPU spike inside the MCP TypeScript SDK, freezing the entire MCP server. In 2026’s agent-heavy environments, this allows a single malicious interaction to disrupt centralized AI orchestrators and automated workflows.

Threat Overview

This vulnerability is a classic Regular Expression Denial of Service (ReDoS) issue. It resides in the URI template parser used by the SDK to map incoming MCP tool calls to registered resources.

An attacker can execute a complexity attack, where a single small request consumes 100% of a CPU core indefinitely. While the flaw does not enable data exfiltration or remote code execution, it is highly effective at destroying service availability.

Affected Scope

• Affected Versions: <= 1.25.1
• Unaffected Versions: >= 1.25.2
• Deployments at Risk: Any MCP server (self-hosted or cloud) using the TypeScript SDK

• Exploitation Prerequisites:

  • At least one registered resource template using exploded variables (*, RFC 6570)
  • No authentication required if the MCP endpoint is public

Technical Root Cause

The root cause is catastrophic backtracking inside the UriTemplate class, specifically in the partToRegExp() function.

When expanding array-based URI patterns, the SDK generates a regular expression containing nested quantifiers—a repetition inside another repetition. If the input string almost matches but fails at the final character, the regex engine attempts every possible permutation of the internal groups.

Because the V8 regex engine (used by Node.js) evaluates these patterns as non-deterministic finite automata, execution time grows exponentially rather than linearly.

Exploitation Mechanics

• Vulnerable Pattern: Exploded variables in resource templates (e.g. {/ids*})
• Attacker-Controlled Input: A URI with a large number of delimiters (commas) followed by a non-matching character

• Runtime Behavior:

  • Each additional comma doubles the number of execution paths
  • Results in exponential backtracking (2^n complexity)

• Failure Mode:

  • Node.js is single-threaded
  • The event loop is completely blocked
  • Health checks fail and the server becomes unresponsive until forcibly terminated

Systemic Risk in Agentic Environments

In 2026, the impact of CVE-2026-0621 is amplified by the agentic web.

MCP servers are rarely called directly by humans. Instead, they are invoked by LLM-based agents. This creates an indirect prompt injection vector:

1. An attacker embeds a malicious instruction inside a document or website
2. An LLM consumes this data
3. The agent generates the malicious ReDoS URI itself
4. The MCP server executes it

The agent becomes an unwitting delivery mechanism, bypassing traditional network-level defenses that only inspect “human-like” traffic.

Impact Assessment

• Technical Impact:

  • 100% CPU saturation on a single Node.js thread

• Service Impact:

  • Complete MCP server outage
  • Tool calls fail across connected agents

• Organizational Impact:

  • Severe SLO violations
  • Potential cascading failures as orchestrators repeatedly restart hung containers, creating retry storms

Remediation and Fix

• Fixed Version: @modelcontextprotocol/sdk@1.25.2
• Fix Type: Regex generation hardening (Commit b392f02)

Why the Fix Works

The patch modifies the negated character sets to be mutually exclusive with delimiters (for example, changing [^/]+ to [^/,]+). This removes ambiguity in the regex execution path and forces linear-time evaluation, eliminating catastrophic backtracking.

• Backward Compatibility: Fully preserved
• Breaking Changes: None

Mitigations and Defensive Controls

Immediate Actions

• Upgrade Immediately:

  npm update @modelcontextprotocol/sdk

• Audit Templates: Search for resource templates using the * modifier (e.g. {?list*})

Short-Term Mitigations

• WAF Controls: Rate-limit MCP endpoints and flag URIs with excessive repeating delimiters
• Timeouts: Enforce timeouts at the request or worker boundary, not inside the regex engine itself (e.g. kill execution if it exceeds 500ms)

Long-Term Recommendations

• Resource Isolation: Run MCP servers with strict CPU quotas to prevent host-level starvation
• Adversarial Testing: Add fuzz testing for URI templates and agent-generated inputs in CI/CD pipelines

Lessons Learned

• Availability is Security: A system that is safe but unavailable is still insecure
• Adversarial Parsers: Any component that converts templates into executable logic (regex, ASTs, query planners) is a high-risk entry point
• AI Is Not a Trusted Input: LLM-generated strings must be treated with the same skepticism as raw user input

References and Timeline

• CVE: CVE-2026-0621
• Security Advisory: NVD – CVE-2026-0621
• Upstream Issue: GitHub Issue #965
• Fix PR: GitHub Pull Request #1365
• Disclosure Date: January 6, 2026
• Patch Release Date: January 6, 2026