Mcp Typescript Sdk
CVE-2026-25536
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 7 npm packages depend on @modelcontextprotocol/sdk (7 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.10.0.
DescriptionCVE.org
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.
AnalysisAI
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. [CVSS 7.1 HIGH]
Technical ContextAI
Classified as CWE-362 (Race Condition). MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.
RemediationAI
Fixed in version 1.26.0.. Restrict network access to the affected service where possible.
More in Mcp Typescript Sdk
View allDenial of service in Anthropic's Model Context Protocol (MCP) TypeScript SDK versions up to and including 1.25.1 allows
A security vulnerability in MCP TypeScript SDK (CVSS 8.1) that allows dns rebinding protection. High severity vulnerabil
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-345p-7cg4-v4c7