Intel

AIKIDO-2026-665211

mcp-proxy is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2026

65

Medium Risk

This Affects:

JSmcp-proxy
3.0.0 - 6.5.1
Fixed in 6.5.2
Are you affected? Scan for Free

TL;DR

The HTTP server request listener in startHTTPServer parses the incoming request target with new URL(req.url, ...) before authentication and without guarding against parse errors. A request whose target is not a valid URL, such as //, makes the constructor throw ERR_INVALID_URL inside the listener. The unhandled exception propagates out of the listener and terminates the Node.js process, so any client that can reach the proxy can crash it with a single malformed request. The fix wraps the parse in a try/catch and responds with 400 Bad Request instead of crashing.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

mcp-proxy is vulnerable to Denial of Service (DoS) in versions 3.0.0 - 6.5.1.

How to fix this

Upgrade the mcp-proxy library to the patch version.