What is the CVSS score of CVE-2026-0621?

CVE-2026-0621 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Node.js are affected by CVE-2026-0621?

CVE-2026-0621 presents notable security risk rated CVSS 7.5. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2026-0621?

Yes, a public proof-of-concept exploit is available for CVE-2026-0621. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-0621?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Monitor vendor channels for patch availability.

Node.js CVE-2026-0621

HIGH

Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)

2026-01-05 disclosure@vulncheck.com

GHSA-8r9q-7v3j-jr4g

Node.js Denial Of Service AI / ML Mcp Typescript Sdk

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 30, 2026 - 01:16 vuln.today

Public exploit code

CVE Published

Jan 05, 2026 - 21:16 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

614 npm packages depend on @modelcontextprotocol/sdk (197 direct, 434 indirect)

Ecosystem-wide dependent count for version 1.25.2.

DescriptionCVE.org

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

AnalysisAI

Denial of service in Anthropic MCP TypeScript SDK up to version 1.25.1 stems from catastrophic backtracking in regex processing of RFC 6570 URI templates, allowing remote attackers to trigger excessive CPU consumption and crash Node.js processes without authentication. Public exploit code exists for this vulnerability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious URI with exploded array pattern

Delivery

Submit to MCP TypeScript SDK UriTemplate parser

Exploit

Trigger catastrophic regex backtracking

Execution

Exhaust CPU resources

Impact

Node.js process becomes unresponsive

Access

Craft malicious URI with exploded array pattern

Delivery

Submit to MCP TypeScript SDK UriTemplate parser

Exploit

Trigger catastrophic regex backtracking

Execution

Exhaust CPU resources

Impact

Node.js process becomes unresponsive

Vulnerability AssessmentAI

Exploitation	MCP TypeScript SDK versions up to 1.25.1 processing untrusted RFC 6570 URI templates with exploded array patterns through the UriTemplate class. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this flaw, a denial of service.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL Act Now

9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a

CVE-2026-48714 CRITICAL Act Now

9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p

CVE-2026-53609 CRITICAL Act Now

9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object

CVE-2026-48054 HIGH This Week

8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied

CVE-2026-53608 HIGH This Week

8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

CVE-2026-0621 vulnerability details – vuln.today

Back

Node.js CVE-2026-0621

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code