EUVD-2026-23300
GHSA-353c-v8x9-v7c3
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionNVD
Summary
The readRequestBody() function in src/transports/http/server.ts concatenates HTTP request body chunks into a string with no size limit, allowing a remote unauthenticated attacker to crash the server via memory exhaustion with a single large HTTP POST request.
Details
File: src/transports/http/server.ts, lines 224-240
private async readRequestBody(req: IncomingMessage): Promise<any> {
return new Promise((resolve, reject) => {
let body = '';
req.on('data', (chunk) => {
body += chunk.toString(); // No size limit
});
req.on('end', () => {
try {
const parsed = body ? JSON.parse(body) : null;
resolve(parsed);
} catch (error) {
reject(error);
}
});
req.on('error', reject);
});
}A maxMessageSize configuration value exists in DEFAULT_HTTP_STREAM_CONFIG (4MB, defined in src/transports/http/types.ts line 124) but is never enforced in readRequestBody(). This creates a false sense of security.
PoC
Local testing with 50MB POST payloads against the vulnerable readRequestBody() function:
| Trial | Payload | RSS growth | Time | Result | |-------|---------|-----------|------|--------| | 1 | 50MB | +197MB | 42ms | Vulnerable | | 2 | 50MB | +183MB | 46ms | Vulnerable | | 3 | 50MB | +15MB | 43ms | Vulnerable | | 4 | 50MB | +14MB | 32ms | Vulnerable | | 5 | 50MB | +65MB | 38ms | Vulnerable |
Reproducibility: 5/5 (100%)
Impact
- Denial of Service: Any mcp-framework HTTP server can be crashed by a single large POST request to /mcp
- No authentication required: readRequestBody() executes before any auth checks (auth is opt-in, default is no auth)
- Dead config: maxMessageSize exists but is never enforced, giving a false sense of security
- Affected: All applications using mcp-framework HttpStreamTransport (60,000 weekly npm downloads)
CWE-770: Allocation of Resources Without Limits or Throttling Suggested CVSS 3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Suggested Fix
Enforce maxMessageSize in readRequestBody():
private async readRequestBody(req: IncomingMessage): Promise<any> {
const maxSize = this._config.maxMessageSize || 4 * 1024 * 1024;
return new Promise((resolve, reject) => {
let body = '';
let size = 0;
req.on('data', (chunk) => {
size += chunk.length;
if (size > maxSize) {
req.destroy();
reject(new Error('Request body too large'));
return;
}
body += chunk.toString();
});
// ...
});
}Disclosure Timeline
This report follows coordinated disclosure. I request a 90-day window before public disclosure.
Reporter: Raza Sharif, CyberSecAI Ltd ([email protected])
AnalysisAI
The readRequestBody() function in src/transports/http/server.ts concatenates HTTP request body chunks into a string with no size limit, allowing a remote unauthenticated attacker to crash the server via memory exhaustion with a single large HTTP POST request. File: src/transports/http/server.ts, lines 224-240 typescript private async readRequestBody(req: IncomingMessage): Promise<any> { return new Promise((resolve, reject) => { let body = ''; req.on('data', (chunk) => { body += chunk.toString(); // No size limit }); req.on('end', () => { try { const parsed = body ? …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today