CVE-2026-39313

mcp-framework is a framework for building Model Context Protocol MCP servers. In versions 0.2.21 and below, the readRequestBody function in the HTTP transport concatenates request body chunks into a string with no size limit. Although a maxMessageSize configuration value exists, it is never...

MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport

Summary The readRequestBody function in src/transports/http/server.ts concatenates HTTP request body chunks into a string with no size limit, allowing a remote unauthenticated attacker to crash the server via memory exhaustion with a single large HTTP POST request. Details File:...

@aumoai/mcp-data-analyst (>=0.1.0 <=0.2.8-a), @geobio/code_execution_server (>=0.2.0 <=0.2.1) +35 more potentially affected by CVE-2026-39313 via mcp-framework (>=0.1.27 <=0.2.2)

mcp-framework NPM version =0.1.27, =0.1.0, =0.2.0, =1.0.11, =0.2.0, =0.2.0, =0.0.1, =0.0.4 and more Source cves: CVE-2026-39313 Source advisory: SNYK:JS-MCPFRAMEWORK-16420257...

Allocation of Resources Without Limits or Throttling

Overview mcp-framework is a Framework for building Model Context Protocol MCP servers in Typescript Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the readRequestBody function. An attacker can exhaust system memory and cause a server...

EUVD-2026-23300

MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport...

CVE-2025-62801

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection vulnerability lets any attacker who can influence the servername field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor. This vulnerability is fix...

EUVD-2025-12788

Malicious code in bioql PyPI...

vul-37

AgentUniverse MCP Command Injection Vulnerability Report S...

GHSA-QGP8-V765-QXX9 @cloudflare/workers-oauth-provider PKCE bypass via downgrade attack

Summary PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework. However, it was found that an attacker could cause the check to be skipped. Impact PKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension ...

Duplicate Advisory: @cloudflare/workers-oauth-provider PKCE bypass via downgrade attack

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qgp8-v765-qxx9. This link is maintained to preserve external references. Original Description PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework...

CVE-2025-4144 PKCE bypass via downgrade attack

PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped. Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/27...

CVE-2025-4144 PKCE bypass via downgrade attack

PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped. Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/27...

CVE-2025-4144

CVE-2025-4144 affects Cloudflare’s MCP-based workers-oauth-provider. A flaw in the PKCE implementation allows an attacker to bypass PKCE verification, effectively bypassing PKCE protection. Descriptions across sources (Veracode, Red Hat, GHSA advisories, OSV) state that the OAuth check can be ski...

PT-2025-18345 · Unknown · Workers-Oauth-Provider

Name of the Vulnerable Software and Affected Versions: workers-oauth-provider affected versions not specified Description: The issue is related to the OAuth implementation in workers-oauth-provider, part of the MCP framework. An attacker could cause the PKCE check to be skipped, completely...