AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-0621: Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS

highvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseJanuary 5, 2026CVE-2026-0621

Summary

Anthropic's MCP TypeScript SDK (a toolkit for building AI applications) versions up to 1.25.1 has a ReDoS vulnerability (regular expression denial of service, where a maliciously designed input causes the regex parser to work extremely hard and freeze the system) in its UriTemplate class. An attacker can send a specially crafted URI (web address) that makes the Node.js process (the JavaScript runtime environment) consume excessive CPU and stop responding, causing the application to crash or become unavailable.

Vulnerability Details

CVSS Score

7.5(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack Type

DoS

Attack SophisticationModerate

Impact (CIA+S)

availability

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-1333

Affected Vendors

Anthropic

Related Issues

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Same vendorTechCrunch

medium

CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem

First tracked: February 15, 2026 at 08:50 PM

Classified by LLM (prompt v3) · confidence: 95%