Skip to content

Update @modelcontextprotocol/sdk dependency version #12326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
i5d6 wants to merge 2 commits into from
Closed

Update @modelcontextprotocol/sdk dependency version #12326

i5d6 wants to merge 2 commits into from
+1 −1

Conversation

@i5d6
Copy link
Contributor

@i5d6 i5d6 commented Feb 6, 2026

Summary

The project includes a vulnerable third-party dependency:

@modelcontextprotocol/sdk version ^1.24.0

This version is affected by CVE-2026-25536, a race condition vulnerability (CWE-362) that may lead to cross-session data leakage when server or transport instances are reused across concurrent clients.

Affected File

examples/mcp/package.json

"@modelcontextprotocol/sdk": "^1.24.0"

Vulnerability Details

  • CVE: CVE-2026-25536
  • CWE: CWE-362 (Race Condition)
  • CVSS Score: 7.1 (High)
  • Advisory ID: SNYK-JS-MODELCONTEXTPROTOCOLSDK-15208843

According to the official advisory, versions prior to 1.26.0 may not properly isolate request state across concurrent clients if server or transport instances are reused.

This may introduce a risk of:

  • Cross-request data leakage
  • Session data exposure
  • Unexpected behavior under concurrent usage

Impact Assessment

If the application:

  • Reuses a single server or transport instance
  • Handles multiple concurrent client connections

There is potential for improper isolation between requests, which could result in data from one client being exposed to another.

While I have not confirmed active exploitation in the current implementation, the dependency remains in a version known to contain a high-severity race condition vulnerability.

Recommended Remediation

Upgrade to:

@modelcontextprotocol/sdk >= 1.26.0

The issue is resolved starting from version 1.26.0.

References

Thank you for reviewing this report. Please let me know if further validation or testing details are required.

Best regards,

@i5d6
Update @modelcontextprotocol/sdk dependency version
22c6c63 
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.
@frahidipolice-ux
Copy link

frahidipolice-ux commented Feb 7, 2026

cool

aayush-kapoor
aayush-kapoor approved these changes Feb 11, 2026
View reviewed changes
Copy link
Contributor

@aayush-kapoor aayush-kapoor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

aayush-kapoor
aayush-kapoor requested changes Feb 11, 2026
View reviewed changes
Copy link
Contributor

@aayush-kapoor aayush-kapoor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

failing ci

@i5d6 i5d6 requested a review from aayush-kapoor February 11, 2026 23:39
@aayush-kapoor aayush-kapoor mentioned this pull request Feb 11, 2026
Open
@aayush-kapoor
Copy link
Contributor

aayush-kapoor commented Feb 11, 2026

closing since it needed more changes - track here #12469

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aayush-kapoor aayush-kapoor Awaiting requested review from aayush-kapoor

Assignees

No one assigned

Labels

ai/mcp maintenance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@i5d6 @frahidipolice-ux @aayush-kapoor