Main Vulnerability Database SB2026031142

SB2026031142 - Insecure Default Initialization of Resource in Model Context Protocol (MCP) TypeScript SDK

Published: March 11, 2026

Security Bulletin ID SB2026031142

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Insecure Default Initialization of Resource (CVE-ID: CVE-2025-66414)

The vulnerability allows a remote attacker to read and modify data on the system.

The vulnerability exists due to Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. A remote attacker can invoke tools or access resources exposed by the MCP server on behalf of the user in limited circumstances.

Remediation

Install update from vendor's website.

References

https://github.com/modelcontextprotocol/typescript-sdk/commit/09623e2aa5044f9e9da62c73d820a8250b9d97ed
https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-w48q-cv73-mx4w