Skip to main content

code-index-mcp EUVDEUVD-2026-34057

| CVE-2026-10692 LOW
Uncontrolled Resource Consumption (CWE-400)
2026-06-03 cna@vuldb.com GHSA-647r-72hf-4vmh
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 03, 2026 - 00:27 vuln.today
Analysis Generated
Jun 03, 2026 - 00:27 vuln.today

DescriptionCVE.org

A weakness has been identified in johnhuang316 code-index-mcp up to 2.14.0. Affected is the function is_safe_regex_pattern of the component search_code_advanced. Executing a manipulation of the argument regex can lead to inefficient regular expression complexity. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.14.1 is able to address this issue. This patch is called 25bc02fac74051ddae15ce79e952f00211b1ea6b. Upgrading the affected component is recommended.

AnalysisAI

Uncontrolled resource consumption in johnhuang316 code-index-mcp versions up to 2.14.0 allows an authenticated remote attacker with low privileges to trigger a denial of service by supplying a catastrophically backtracking regex pattern to the search_code_advanced tool's regex argument. The is_safe_regex_pattern validation function fails to reject pathological patterns, causing the MCP server process to exhaust CPU resources and become unresponsive. A public proof-of-concept exploit exists (CVSS 4.0 E:P); no active exploitation via CISA KEV has been reported, and impact is limited to availability of the vulnerable component only.

Technical ContextAI

code-index-mcp is a Model Context Protocol (MCP) server for code indexing and search, authored by johnhuang316. The vulnerable function is_safe_regex_pattern within the search_code_advanced tool is responsible for validating caller-supplied regular expression patterns before executing search operations. CWE-400 (Uncontrolled Resource Consumption) applies here: the validation logic fails to detect or reject exponentially backtracking patterns - a class of ReDoS (Regular Expression Denial of Service) attack - allowing the underlying regex engine to consume unbounded CPU time on crafted inputs such as nested quantifiers (e.g., (a+)+$). The commit diff confirms the remediation approach: regex mode was changed from always-available to opt-in (regex=True required), and the default search mode reverted to literal-only matching. No CPE string was provided in the input data for this package.

RemediationAI

Upgrade to code-index-mcp version 2.14.1, which resolves this vulnerability via commit 25bc02fac74051ddae15ce79e952f00211b1ea6b, available at https://github.com/johnhuang316/code-index-mcp/releases/tag/v2.14.1. The patch changes regex mode from always-available to opt-in (regex=True required alongside a native search tool), making the default search mode literal-only and eliminating exposure to malicious patterns in standard deployments. As a compensating control prior to patching, restrict invocation of the search_code_advanced tool to fully trusted users only, since low-privilege authenticated access is sufficient for exploitation; this limits who can supply the crafted regex argument. Disabling or blocking access to the MCP server entirely for untrusted users is also effective but introduces trade-offs for legitimate search functionality.

Share

EUVD-2026-34057 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy