fix: prevent ReDoS vulnerability in UriTemplate regex patterns #1363
Conversation
Replace vulnerable regex pattern `([^/]+(?:,[^/]+)*)` with `([^/,]+(?:,[^/,]+)*)` to prevent catastrophic backtracking when processing malicious URIs with many commas. The fix explicitly excludes commas from the first character class, preventing nested quantifier backtracking. Fixes modelcontextprotocol#965
🦋 Changeset detectedLatest commit: 277a216 The changes in this PR will be included in the next version bump. This PR includes changesets to release 2 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
commit: |
|
@DevJanderson You need to add a changeset first via https://makenowjust-labs.github.io/recheck/playground/ said the original regex (with |
|
One more thing you may need to send another PR with the same content to the |
|
Any plans for getting a new release with this fix? |
4 participants
Summary
This PR fixes the ReDoS (Regular Expression Denial of Service) vulnerability in the
UriTemplateclass (CVE-2026-0621).Problem
The regex patterns for exploded array templates (
{/id*}and{id*}) used([^/]+(?:,[^/]+)*)which causes catastrophic backtracking when processing malicious URIs containing many commas.Solution
Replace the vulnerable pattern with
([^/,]+(?:,[^/,]+)*)- explicitly excluding commas from the first character class prevents nested quantifier backtracking.Changes
packages/core/src/shared/uriTemplate.ts: Fix regex patterns on lines 228 and 238packages/core/test/shared/uriTemplate.test.ts: Add regression tests for ReDoSTesting
All existing tests pass, plus 2 new tests verify the fix prevents ReDoS:
should not be vulnerable to ReDoS with exploded path patternsshould not be vulnerable to ReDoS with exploded simple patternsFixes #965