mcp is vulnerable to Uncontrolled Resource Consumption
53
Medium Risk
In its default configuration MCP::Server::Transports::StreamableHTTPTransport never expires sessions, storing a new ServerSession for every successful initialize request and only removing it on an explicit client DELETE. An unauthenticated attacker can repeatedly initialize sessions and disconnect, forcing the server to retain an unbounded number of session objects until memory is exhausted. This causes a memory-exhaustion denial of service via an initialize flood. The fix bounds retention with a finite default session_idle_timeout and a max_sessions cap that rejects new sessions with HTTP 503.
You are affected if you are using a version that falls within the vulnerable range and run the Streamable HTTP transport without a configured session expiry limit.
mcp is vulnerable to Uncontrolled Resource Consumption in versions 0.1.0 - 0.22.0.
Upgrade the mcp library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant