Main Vulnerability Database Vulnerabilities #VU123885

Insecure Default Initialization of Resource in typescript-sdk - CVE-2025-66414

Published: March 11, 2026

Vulnerability identifier: #VU123885

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-66414

CWE-ID: CWE-1188

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Model Context Protocol

Affected software:
typescript-sdk

Detailed vulnerability description

The vulnerability allows a remote attacker to read and modify data on the system.

The vulnerability exists due to Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. A remote attacker can invoke tools or access resources exposed by the MCP server on behalf of the user in limited circumstances.

How to mitigate CVE-2025-66414

Install updates from vendor's website.

Sources

https://github.com/modelcontextprotocol/typescript-sdk/commit/09623e2aa5044f9e9da62c73d820a8250b9d97ed
https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-w48q-cv73-mx4w

Insecure Default Initialization of Resource in typescript-sdk - CVE-2025-66414

Detailed vulnerability description

How to mitigate CVE-2025-66414

Sources

Please verify you're human