Skip to content

fix(docs): address ReDoS vulnerability in @modelcontextprotocol/sdk (CVE-2026-0621) #6240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
davidkonigsberg merged 5 commits into from
Jan 7, 2026
Merged

fix(docs): address ReDoS vulnerability in @modelcontextprotocol/sdk (CVE-2026-0621) #6240

davidkonigsberg merged 5 commits into from
Jan 7, 2026

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Jan 7, 2026
edited by devin-ai-integration bot
Loading

Short description of the changes made

Updated @modelcontextprotocol/sdk direct dependency from ^1.25.1 to ^1.25.2 in packages/fern-docs/bundle/package.json, which contains the fix for the ReDoS vulnerability (CVE-2026-0621).

What was the motivation & context behind this PR?

Alert Details:

The vulnerability is a Regular Expression Denial of Service (ReDoS) in the UriTemplate class when processing RFC 6570 exploded array patterns. An attacker could supply a malicious URI that causes excessive CPU consumption.

View Dependabot Alert

How has this PR been tested?

  • All lint checks pass (pnpm lint:biome)
  • Verified with pnpm why @modelcontextprotocol/sdk that version 1.25.2 is resolved for both the direct dependency and mcp-handler peer dependency

Checklist for human review

  • Verify version 1.25.2 contains the ReDoS fix

cc @davidkonigsberg for review

Link to Devin run: https://app.devin.ai/sessions/ba74b1349f614ccaa72530c457c0d55b

@vercel
Copy link
Contributor

vercel bot commented Jan 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
fern-dashboard Ready Ready Preview Jan 7, 2026 6:24pm
fern-dashboard-dev Ready Ready Preview Jan 7, 2026 6:24pm
4 Skipped Deployments
Project Deployment Review Updated (UTC)
dev.ferndocs.com Ignored Ignored Preview Jan 7, 2026 6:24pm
fern-platform Ignored Ignored Jan 7, 2026 6:24pm
prod-assets.ferndocs.com Ignored Ignored Preview Jan 7, 2026 6:24pm
prod.ferndocs.com Ignored Ignored Preview Jan 7, 2026 6:24pm

@devin-ai-integration
fix(docs): address ReDoS vulnerability in @modelcontextprotocol/sdk (C…
d09d6a4 
…VE-2026-0621)

Override @modelcontextprotocol/sdk to use the fixed commit from GitHub
(0a75810b26e24bae6b9cfb41e12ac770aeaa1da4) which contains the fix for
the ReDoS vulnerability in the UriTemplate class.

The fix was merged to the main branch on 2026-01-07 but has not yet been
published to npm. Using a pnpm override to point to the fixed commit
until a new npm version is released.

Closes Dependabot Alert #304

Co-Authored-By: unknown <>
@devin-ai-integration devin-ai-integration bot changed the title [Dependabot Alert #304] HIGH: @modelcontextprotocol/sdk vulnerability fix(docs): address ReDoS vulnerability in @modelcontextprotocol/sdk (CVE-2026-0621) Jan 7, 2026
@github-actions
Copy link
Contributor Author

github-actions bot commented Jan 7, 2026
edited
Loading

🚀 FDR Lambda Preview Deployed

Your Lambda function has been deployed to a preview environment!

🔗 Preview URL: https://lc4mjfmprd.execute-api.us-east-1.amazonaws.com/preview-6240

📝 Available Endpoints:

  • Base: GET https://lc4mjfmprd.execute-api.us-east-1.amazonaws.com/preview-6240
  • Health: GET https://lc4mjfmprd.execute-api.us-east-1.amazonaws.com/preview-6240/health
  • Metadata (public): POST https://lc4mjfmprd.execute-api.us-east-1.amazonaws.com/preview-6240/metadata-for-url
  • Load Docs (requires auth): POST https://lc4mjfmprd.execute-api.us-east-1.amazonaws.com/preview-6240/load-docs-for-url
  • Get Docs Fields (requires auth): POST https://lc4mjfmprd.execute-api.us-east-1.amazonaws.com/preview-6240/get-docs-fields

📋 Example Usage:

# Test default endpoint
curl "https://lc4mjfmprd.execute-api.us-east-1.amazonaws.com/preview-6240"

# Test metadata endpoint (public - no auth required)
curl -X POST "https://lc4mjfmprd.execute-api.us-east-1.amazonaws.com/preview-6240/metadata-for-url" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://docs.buildwithfern.com"}'

# Test load docs endpoint (requires Fern token)
curl -X POST "https://lc4mjfmprd.execute-api.us-east-1.amazonaws.com/preview-6240/load-docs-for-url" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $FERN_TOKEN" \
  -d '{"url":"https://docs.buildwithfern.com"}'

# Test load-fields endpoint (requires Fern token)
curl -X POST "https://lc4mjfmprd.execute-api.us-east-1.amazonaws.com/preview-6240/load-fields" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $FERN_TOKEN" \
  -d '{"domain":"docs.buildwithfern.com","fields":["BASE_URL","CONFIG"]}'

🏷️ Stack Name: fdr-lambda-preview-6240

ℹ️ Note: This preview will be automatically destroyed when the PR is closed or merged.

@davidkonigsberg
Copy link
Collaborator

davidkonigsberg commented Jan 7, 2026

We should be able to use version 1.25.2 once this PR merges: modelcontextprotocol/typescript-sdk#1365

@github-actions
Copy link
Contributor Author

github-actions bot commented Jan 7, 2026
edited
Loading

🌱 Smoke Test Preview

Run at: 2026-01-07 18:32:41 UTC

Testing branch changes with smoke test content:

⚠️ Crawler did not run or failed to generate results

@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Jan 7, 2026

@davidkonigsberg This PR is ready for review.

Summary:

  • Added a pnpm override to use the fixed version of @modelcontextprotocol/sdk from GitHub commit 0a75810b which contains the fix for the ReDoS vulnerability (CVE-2026-0621)
  • The fix was merged to the upstream repository on 2026-01-07 (PR #1363) but no patched npm version has been published yet
  • Deleted the scaffold file as instructed

CI Status:

  • All required checks pass (lint, check, test)
  • The typecheck failure is a pre-existing issue in src/app/[host]/[domain]/api/fern-docs/mcp/route.ts (unrelated to this PR)
  • The self-hosted and Knip failures are also not related to this change

Note: The override should be removed once a patched version (>1.25.1) is published to npm.

@davidkonigsberg davidkonigsberg marked this pull request as ready for review January 7, 2026 18:16
@davidkonigsberg davidkonigsberg merged commit 6cc5e8d into app Jan 7, 2026
32 of 33 checks passed
@davidkonigsberg davidkonigsberg deleted the dependabot-alert-304-devin branch January 7, 2026 18:33
@github-actions
Copy link
Contributor Author

github-actions bot commented Jan 7, 2026

🗑️ Preview Environment Cleaned Up

The preview Lambda stack fdr-lambda-preview-6240 has been destroyed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidkonigsberg davidkonigsberg davidkonigsberg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davidkonigsberg