Skip to content

fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport)#1365

Merged
pcarleton merged 2 commits intov1.xfrom
fix/redos-v1.x
Jan 7, 2026
Merged

fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport)#1365
pcarleton merged 2 commits intov1.xfrom
fix/redos-v1.x

Conversation

@pcarleton
Copy link
Member

@pcarleton pcarleton commented Jan 7, 2026

Summary

Backport of the ReDoS fix from #1363 to the v1.x branch.

Changes

The exploded array handling regex patterns in UriTemplate were vulnerable to ReDoS (Regular Expression Denial of Service) attacks. Changed [^/]+ to [^/,]+ in the character class to prevent catastrophic backtracking when matching malicious input.

Security Impact

  • CVE: CVE-2026-0621
  • Severity: Moderate
  • Attack Vector: A malicious URI with repeated commas could cause exponential backtracking

Changes Made

  • Fixed regex pattern on line 228 (empty operator, exploded)
  • Fixed regex pattern on line 238 (path operator, exploded)
  • Added ReDoS regression tests

Testing

All existing tests pass, plus two new security regression tests that verify the fix prevents the ReDoS vulnerability.

Version

Bumped to v1.25.2 for patch release.

Fixes #965

@pcarleton
fix: prevent ReDoS in UriTemplate regex patterns
646cfab 
The exploded array handling regex patterns were vulnerable to ReDoS attacks.
Changed [^/]+ to [^/,]+ in the character class to prevent catastrophic backtracking.

CVE-2026-0621
Fixes #965
@pcarleton
1.25.2
390df91
@pcarleton pcarleton requested a review from a team as a code owner January 7, 2026 12:14
@changeset-bot
Copy link

changeset-bot bot commented Jan 7, 2026

⚠️ No Changeset found

Latest commit: 390df91

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 7, 2026

Open in StackBlitz

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/sdk@1365

commit: 390df91

@pcarleton
Copy link
Member Author

pcarleton commented Jan 7, 2026

hmm changesets don't exist on the v1.x branch, we should probably fix that notification

@pcarleton pcarleton merged commit b392f02 into v1.x Jan 7, 2026
7 checks passed
@pcarleton pcarleton deleted the fix/redos-v1.x branch January 7, 2026 14:37
@joeyorlando joeyorlando mentioned this pull request Jan 7, 2026
Merged
joeyorlando added a commit to archestra-ai/archestra that referenced this pull request Jan 7, 2026
@joeyorlando
deps: address CVE-2026-0621 (#1898)
9b95312 
See modelcontextprotocol/typescript-sdk#1365

Closes https://github.com/archestra-ai/archestra/security/dependabot/70

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> <sup>[Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) is
generating a summary for commit
dc193e5. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
@rossdakin rossdakin mentioned this pull request Jan 9, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bhosmer-ant bhosmer-ant bhosmer-ant approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pcarleton @bhosmer-ant