10 matches found
CVE-2026-39313
mcp-framework is a framework for building Model Context Protocol MCP servers. In versions 0.2.21 and below, the readRequestBody function in the HTTP transport concatenates request body chunks into a string with no size limit. Although a maxMessageSize configuration value exists, it is never...
CVE-2026-39313
mcp-framework is a framework for building Model Context Protocol MCP servers. In versions 0.2.21 and below, the readRequestBody function in the HTTP transport concatenates request body chunks into a string with no size limit. Although a maxMessageSize configuration value exists, it is never...
CVE-2026-39313 MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport
mcp-framework is a framework for building Model Context Protocol MCP servers. In versions 0.2.21 and below, the readRequestBody function in the HTTP transport concatenates request body chunks into a string with no size limit. Although a maxMessageSize configuration value exists, it is never...
CVE-2026-39313
CVE-2026-39313 affects mcp-framework's HTTP transport (readRequestBody) where concatenation of request chunks has no size limit. Versions 0.2.21 and earlier are vulnerable; an unauthenticated remote attacker can crash an HTTP server by sending a single large POST to /mcp, causing memory exhaustio...
CVE-2026-39313 MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport
mcp-framework is a framework for building Model Context Protocol MCP servers. In versions 0.2.21 and below, the readRequestBody function in the HTTP transport concatenates request body chunks into a string with no size limit. Although a maxMessageSize configuration value exists, it is never...
CVE-2026-39313
mcp-framework is a framework for building Model Context Protocol MCP servers. In versions 0.2.21 and below, the readRequestBody function in the HTTP transport concatenates request body chunks into a string with no size limit. Although a maxMessageSize configuration value exists, it is never...
GHSA-353C-V8X9-V7C3 MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport
Summary The readRequestBody function in src/transports/http/server.ts concatenates HTTP request body chunks into a string with no size limit, allowing a remote unauthenticated attacker to crash the server via memory exhaustion with a single large HTTP POST request. Details File:...
Allocation of Resources Without Limits or Throttling
Overview mcp-framework is a Framework for building Model Context Protocol MCP servers in Typescript Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the readRequestBody function. An attacker can exhaust system memory and cause a server...
PT-2026-33368
Name of the Vulnerable Software and Affected Versions mcp-framework versions prior to 0.2.22 Description The readRequestBody function in the HTTP transport concatenates request body chunks into a string without enforcing a size limit. Although a maxMessageSize configuration value exists, it is no...
MCP Framework 安全漏洞
MCP Framework is a TypeScript framework developed by Alex Andru as a building block for context protocols. Versions of the MCP Framework prior to 0.2.21 contained security vulnerabilities. These vulnerabilities stemmed from the readRequestBody function in HTTP transmissions, which concatenated th...