Skip to main content

Mcp Typescript Sdk CVE-2026-25536

HIGH
Race Condition (CWE-362)
2026-02-04 security-advisories@github.com GHSA-345p-7cg4-v4c7
7.1
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 04, 2026 - 22:15 nvd
HIGH 7.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7 npm packages depend on @modelcontextprotocol/sdk (7 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.10.0.

DescriptionCVE.org

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.

AnalysisAI

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. [CVSS 7.1 HIGH]

Technical ContextAI

Classified as CWE-362 (Race Condition). MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.

RemediationAI

Fixed in version 1.26.0.. Restrict network access to the affected service where possible.

Vendor StatusVendor

Share

CVE-2026-25536 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy