Intel

AIKIDO-2026-329399

mcp is vulnerable to Uncontrolled Resource Consumption

Uncontrolled Resource ConsumptionGHSA-52jp-gj8w-j6xh Published Today

53

Medium Risk

This Affects:

RUBYmcp
0.1.0 - 0.22.0
Fixed in 0.23.0
Are you affected? Scan for Free

TL;DR

In its default configuration MCP::Server::Transports::StreamableHTTPTransport never expires sessions, storing a new ServerSession for every successful initialize request and only removing it on an explicit client DELETE. An unauthenticated attacker can repeatedly initialize sessions and disconnect, forcing the server to retain an unbounded number of session objects until memory is exhausted. This causes a memory-exhaustion denial of service via an initialize flood. The fix bounds retention with a finite default session_idle_timeout and a max_sessions cap that rejects new sessions with HTTP 503.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and run the Streamable HTTP transport without a configured session expiry limit.

Background info

mcp is vulnerable to Uncontrolled Resource Consumption in versions 0.1.0 - 0.22.0.

How to fix this

Upgrade the mcp library to the patch version.