Main Vulnerability Database Vulnerabilities #VU123885

#VU123885 Insecure Default Initialization of Resource in typescript-sdk - CVE-2025-66414

Published: March 11, 2026

Vulnerability identifier: #VU123885

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-66414

CWE-ID: CWE-1188

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
typescript-sdk

Software vendor:
Model Context Protocol

Description

The vulnerability allows a remote attacker to read and modify data on the system.

The vulnerability exists due to Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. A remote attacker can invoke tools or access resources exposed by the MCP server on behalf of the user in limited circumstances.

Remediation

Install updates from vendor's website.

External links

https://github.com/modelcontextprotocol/typescript-sdk/commit/09623e2aa5044f9e9da62c73d820a8250b9d97ed
https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-w48q-cv73-mx4w

#VU123885 Insecure Default Initialization of Resource in typescript-sdk - CVE-2025-66414

Description

Remediation

External links

Please verify you're human