@modelcontextprotocol/sdk

npm2 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting @modelcontextprotocol/sdkpage 1 of 1

CVE-2026-0621HIGHCVSS 7.5EG 7.5✓ Fixed in 1.25.2
2026-01-05
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated re…
CVE-2026-25536HIGHCVSS 7.1EG 7.1✓ Fixed in 1.26.0
2026-02-04
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multipl…

Check whether @modelcontextprotocol/sdk is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @modelcontextprotocol/sdk CVEs against the assets you own.

Start Free Scan →