Aikido Intel
Secure My Code
Intel

AIKIDO-2025-10341

fast-mcp is vulnerable to Race Condition

Race Condition Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 3, 2025

10

Low Risk

This Affects:

Rubyfast-mcp
1.0.0 - 1.4.0
Fixed in 1.5.0
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to a race condition in the @sse_clients hash management within RackTransport, occurring when running in multi-threaded environments. This thread-unsafe implementation allows attackers to trigger denial-of-service (DoS) crashes by spamming SSE connections/disconnections, exploiting the error handling when concurrent threads attempt to modify the client registry during iteration. Additionally, the lack of synchronization around client IO streams creates a potential for data corruption if an attacker precisely times writes during stream modifications.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

fast-mcp is vulnerable to Race Condition in versions 1.0.0 - 1.4.0.

How to fix this

Upgrade the fast-mcp library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done