ГлавнаяУязвимости → CVE-2026-25536
7.1высокая

CVE-2026-25536

Описание

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.

Затрагиваемое ПО
Lfprojects Mcp typescript sdk
CVSS
Балл7.1 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Источники
https://github.com/modelcontextprotocol/typescript-sdk/issues/204https://github.com/modelcontextprotocol/typescript-sdk/issues/243https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7https://access.redhat.com/errata/RHSA-2026:3960https://access.redhat.com/security/cve/CVE-2026-25536https://bugzilla.redhat.com/show_bug.cgi?id=2436937https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25536.json