CVE-2026-0621: Single-Request Denial of Service in MCP TypeScript SDK via Catastrophic Regex Backtracking

Aegiron 9 mins0

Vulnerability Overview (At-a-Glance)

  • CVE ID: CVE-2026-0621
  • Product: Anthropic Model Context Protocol (MCP) TypeScript SDK
  • Component: UriTemplate parsing and matching logic
  • Vulnerability Type: Regular Expression Denial of Service (ReDoS)
  • Severity: High
  • CVSS v4 Score: 8.7
  • Attack Vector: Remote / Network
  • Privileges Required: None
  • User Interaction: None
  • Impact: Availability (Node.js process stall / CPU exhaustion)
  • Exploitability: High
  • Exploit Availability: Public proof-of-concept techniques are known
  • Affected Versions: MCP TypeScript SDK versions up to and including 1.25.1
  • Fixed Version: Available via official upstream patch (see patch section)

Executive Summary

CVE-2026-0621 is a denial-of-service vulnerability caused by unsafe regular expression construction in the MCP TypeScript SDK’s URI template handling logic.

A single specially crafted HTTP request can cause a Node.js process using the SDK to become CPU-bound and unresponsive, effectively taking the service offline. This happens because certain URI templates—specifically those using exploded array syntax—generate catastrophically backtracking regular expressions.

This issue is particularly dangerous in Node.js environments because the event loop is single-threaded. Once the regex engine enters catastrophic backtracking, all request handling stops, even though the process may still appear “alive.”

Root Cause – What Went Wrong

1. Unsafe Dynamic Regex Generation

The MCP SDK implements RFC-6570 URI templates.
When parsing templates that include exploded array operators (e.g., *), the SDK dynamically generates regular expressions to match incoming request paths and query strings.

Examples of exploded templates:

  • {?ids*}
  • {/path*}
  • {&tags*}

Internally, these templates result in regex patterns with:

  • Nested quantifiers
  • Repeating capture groups
  • Optional sub-patterns inside repetitions

This creates regex structures similar to:

((segment)+)+

or

([^,]+,?)+

2. Catastrophic Backtracking

JavaScript’s regex engine (used by Node.js) performs backtracking when evaluating patterns.
With nested quantifiers, certain inputs cause the engine to try exponentially many match paths.

An attacker can exploit this by sending:

  • Extremely long inputs
  • Inputs with repeating separators
  • Inputs that almost match, but fail late in the pattern

The result:

  • CPU usage spikes to 100% on a single core
  • Event loop is blocked
  • Application stops responding

Exploitation Scenario

  1. A Node.js application exposes an HTTP endpoint that uses MCP SDK URI templates.
  2. The endpoint accepts array-like parameters (path or query).
  3. An attacker sends one request with:
    • Thousands of repeated values
    • Repeated separators (, or %2C)
    • Encoded characters to bypass naive length checks
  4. The MCP SDK attempts to match the URI using its generated regex.
  5. Regex engine enters catastrophic backtracking.
  6. The Node.js process becomes unresponsive.

No authentication is required.
No rate limiting is required.
One request is sufficient.

Example Attack Payload Patterns (For Detection & Testing Only)

Do NOT use these against production systems

Query-based payload

GET /mcp/resource?ids=a,a,a,a,a,a,a,a,a,a,a,a,a,a,a,...

Encoded separator payload

GET /mcp/resource?ids=a%2Ca%2Ca%2Ca%2Ca%2Ca%2C...

Path-based payload

GET /mcp/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a

The payload does not need to be “invalid.”
It only needs to stress the regex.

Impact

  • Complete service unavailability
  • Node.js process stall without crash (harder to detect)
  • Cascading failures in upstream services
  • Load balancers may continue routing traffic to a dead process
  • Auto-scaling may not trigger if health checks are shallow

This is pure availability impact — no data exposure or code execution.

MITRE Classification

  • CWE-1333: Inefficient Regular Expression Complexity
  • Attack Category: Application-layer Denial of Service
  • Kill Chain Phase: Impact

Detection Strategy

1. Behavioral Indicators

  • Sudden CPU spike on Node.js processes
  • Event loop lag > 200ms sustained
  • Requests hanging indefinitely
  • Increased 502 / 504 responses from reverse proxy
  • No corresponding increase in request volume

2. Application-Level Signals

Monitor:

  • Request processing time
  • Event loop delay
  • Per-route latency
  • Garbage collection pressure

Strong indicator:

High CPU + low throughput + no errors logged

3. Log Sources to Monitor

Log SourceWhat to Look For
Web access logsExtremely long URIs or query strings
Application logsRequests that never complete
APM metricsEvent loop lag, CPU saturation
Load balancer logsBackend timeout errors
WAF logsRepeated separator patterns

Detection Rules

1. Sigma Rule – Web Logs

title: MCP UriTemplate ReDoS Attempt
status: experimental
logsource:
  product: web
  service: http
detection:
  suspicious_uri:
    Request_URI|len_gt: 300
    Request_URI|contains_regex: '(%2C|,){50,}'
  condition: suspicious_uri
level: high

2. ModSecurity (WAF)

SecRule REQUEST_URI "@rx (%2C|,){100,}" \
"id:900001,phase:2,deny,log,msg:'Potential MCP UriTemplate ReDoS attempt'"

Start in log-only mode before enforcing.

3. NGINX (Preventive)

if ($request_uri ~* "(%2C|,){100,}") {
    return 414;
}

4. Node.js Runtime Detection

  • Alert if:
    • Event loop delay > 250ms for > 30s
    • CPU > 85% with < normal request throughput
  • Automatically restart process if thresholds exceeded

Mitigation & Hardening

Immediate (If Patch Not Yet Applied)

  • Enforce strict URI length limits
  • Cap query parameter size and count
  • Add WAF rules for repeated separators
  • Rate-limit endpoints using URI templates
  • Run Node.js in clustered mode to isolate failures

Long-Term (Recommended)

  • Upgrade to the official patched MCP SDK version
  • Avoid regex-based URI matching for untrusted input
  • Use linear-time parsers for structured data
  • Instrument event loop monitoring
  • Treat template parsing as untrusted input handling

Official Patch Information

The vulnerability has been addressed in the upstream MCP TypeScript SDK via an official patch that removes unsafe regex constructions and replaces them with safer, linear-time matching logic.

Action required:

  • Upgrade the MCP TypeScript SDK to the latest officially released fixed version.
  • Verify that the changelog explicitly mentions mitigation of URI template ReDoS or CVE-2026-0621.

Do not rely on unofficial forks or partial fixes.

Final Risk Assessment

CategoryRisk
Ease of ExploitationHigh
DetectabilityMedium
Business ImpactHigh
Likelihood in Public APIsVery High

This vulnerability should be treated as production-critical for any internet-facing Node.js service using MCP.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.