Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10734

fastmcp is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.

65

Medium Risk

This Affects:

PYTHONfastmcp
3.2.0 - 3.2.3
Fixed in 3.2.4
Are you affected? Scan for Free

TL;DR

Affected versions of this package allow a file size limit bypass in the FileUpload store_files tool because the max_file_size check trusts the client-controlled size field instead of validating the real decoded payload size. An attacker can exploit this by submitting a large base64-encoded file while falsely reporting a tiny size value, allowing oversized uploads that should have been rejected. It undermines the intended upload restriction and may enable resource exhaustion, storage abuse, or other downstream impacts depending on how uploaded files are processed.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

fastmcp is vulnerable to Denial of Service (DoS) in versions 3.2.0 - 3.2.3.

How to fix this

Upgrade the fastmcp library to the patch version.

Links

Get Secure Now

Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.

Start for Free
Book a Demo

No credit card required | Scan results in 32secs.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done