Skip to content

fix: prevent ReDoS vulnerability in UriTemplate regex patterns#1363

Merged
pcarleton merged 2 commits intomodelcontextprotocol:mainfrom
DevJanderson:fix/redos-vulnerability-uritemplate
Jan 7, 2026
Merged

fix: prevent ReDoS vulnerability in UriTemplate regex patterns#1363
pcarleton merged 2 commits intomodelcontextprotocol:mainfrom
DevJanderson:fix/redos-vulnerability-uritemplate

Conversation

@DevJanderson
Copy link
Copy Markdown
Contributor

@DevJanderson DevJanderson commented Jan 7, 2026

Summary

This PR fixes the ReDoS (Regular Expression Denial of Service) vulnerability in the UriTemplate class (CVE-2026-0621).

Problem

The regex patterns for exploded array templates ({/id*} and {id*}) used ([^/]+(?:,[^/]+)*) which causes catastrophic backtracking when processing malicious URIs containing many commas.

Solution

Replace the vulnerable pattern with ([^/,]+(?:,[^/,]+)*) - explicitly excluding commas from the first character class prevents nested quantifier backtracking.

Changes

  • packages/core/src/shared/uriTemplate.ts: Fix regex patterns on lines 228 and 238
  • packages/core/test/shared/uriTemplate.test.ts: Add regression tests for ReDoS

Testing

All existing tests pass, plus 2 new tests verify the fix prevents ReDoS:

  • should not be vulnerable to ReDoS with exploded path patterns
  • should not be vulnerable to ReDoS with exploded simple patterns

Fixes #965

@DevJanderson
fix: prevent ReDoS vulnerability in UriTemplate regex patterns
cdb95d3 
Replace vulnerable regex pattern `([^/]+(?:,[^/]+)*)` with
`([^/,]+(?:,[^/,]+)*)` to prevent catastrophic backtracking
when processing malicious URIs with many commas.

The fix explicitly excludes commas from the first character class,
preventing nested quantifier backtracking.

Fixes #965
@DevJanderson DevJanderson requested a review from a team as a code owner January 7, 2026 00:56
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Jan 7, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 277a216

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
@modelcontextprotocol/core Patch
@modelcontextprotocol/server Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Jan 7, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1363

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1363

commit: 277a216

@tats-u
Copy link
Copy Markdown

tats-u commented Jan 7, 2026

@DevJanderson You need to add a changeset first via pnpm changeset first. (Disclaimer: I'm not a maintainer) The change itself matches what I came up with.

https://makenowjust-labs.github.io/recheck/playground/ said the original regex (with ^ and $; /^([^\/]+(?:,[^\/]+)*)$/) is exponential (vulnerable) and the fixed regex is safe.

@tats-u
Copy link
Copy Markdown

tats-u commented Jan 7, 2026
edited
Loading

One more thing you may need to send another PR with the same content to the v1.x branch as a backport, too.

@pcarleton pcarleton mentioned this pull request Jan 7, 2026
Merged
pcarleton
pcarleton approved these changes Jan 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@pcarleton pcarleton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you!

@pcarleton pcarleton merged commit 0a75810 into modelcontextprotocol:main Jan 7, 2026
7 checks passed
This was referenced Jan 7, 2026
Open
Open
@pkuczynski
Copy link
Copy Markdown

pkuczynski commented Jan 7, 2026

Any plans for getting a new release with this fix?

This was referenced Jan 7, 2026
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Jan 15, 2026
Open
Open
Open
Closed
Open
Open
This was referenced Jan 22, 2026
Merged
Open
Open
Open
Open
This was referenced Jan 29, 2026
Merged
Open
This was referenced Feb 6, 2026
Open
Open
Open
Open
This was referenced Feb 15, 2026
Open
Open
Open
This was referenced Feb 22, 2026
Open
Open
Open
This was referenced Mar 5, 2026
Open
Open
This was referenced Mar 12, 2026
Open
Open
Open
This was referenced Mar 21, 2026
Closed
Open
Merged
mozmo15 pushed a commit to mozmo15/typescript-sdk that referenced this pull request Mar 30, 2026
@DevJanderson @pcarleton
fix: prevent ReDoS vulnerability in UriTemplate regex patterns (model…
804f2ba 
…contextprotocol#1363)

Co-authored-by: Paul Carleton <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pcarleton pcarleton pcarleton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MCP TypeScript SDK UriTemplate ReDoS

4 participants

@DevJanderson @tats-u @pkuczynski @pcarleton