A high-severity vulnerability, CVE-2026-0621, affects the MCP TypeScript SDK, allowing attackers to crash Node.js servers with a single malicious URI. This Regular Expression Denial of Service flaw triggers catastrophic backtracking, spiking CPU usage to 100% and blocking the event loop. Developers must upgrade to v1.25.2 immediately to prevent service outages affecting AI-driven workflows.

The vulnerability stems from the SDK's URI template parser, specifically how it handles exploded variables. Attackers craft inputs that force the regex engine into exponential execution paths. This Denial of Service risk is amplified in modern agentic environments, where LLMs often generate requests autonomously, turning the AI into an unwitting accomplice that bypasses traditional security checks.

Patched in version v1.25.2, the fix hardens regex generation to ensure linear-time evaluation. While no data exfiltration is possible, the impact on availability is severe, causing cascading failures in orchestrators. Organizations relying on MCP servers for automated workflows should audit their deployments and apply the update to maintain operational stability.