What is the CVSS score of CVE-2026-25536?

CVE-2026-25536 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Mcp Typescript Sdk are affected by CVE-2026-25536?

CVE-2026-25536 is a HIGH severity vulnerability in the MCP TypeScript SDK that could allow attackers to compromise systems using this component.. A patch is available.

Mcp Typescript Sdk CVE-2026-25536

HIGH

Race Condition (CWE-362)

2026-02-04 security-advisories@github.com

GHSA-345p-7cg4-v4c7

Information Disclosure Race Condition Red Hat Mcp Typescript Sdk

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 04, 2026 - 22:15 nvd

HIGH 7.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

7 npm packages depend on @modelcontextprotocol/sdk (7 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.10.0.

DescriptionNVD

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.

AnalysisAI

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. [CVSS 7.1 HIGH]

RemediationAI

Within 24 hours: Identify all systems and applications using MCP TypeScript SDK and document affected inventory. Within 7 days: Implement network segmentation to restrict MCP component communication and increase monitoring for suspicious activity. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory