mcp-proxy is vulnerable to Denial of Service (DoS)
65
Medium Risk
The HTTP server request listener in startHTTPServer parses the incoming request target with new URL(req.url, ...) before authentication and without guarding against parse errors. A request whose target is not a valid URL, such as //, makes the constructor throw ERR_INVALID_URL inside the listener. The unhandled exception propagates out of the listener and terminates the Node.js process, so any client that can reach the proxy can crash it with a single malformed request. The fix wraps the parse in a try/catch and responds with 400 Bad Request instead of crashing.
You are affected if you are using a version that falls within the vulnerable range.
mcp-proxy is vulnerable to Denial of Service (DoS) in versions 3.0.0 - 6.5.1.
Upgrade the mcp-proxy library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant