mcp is vulnerable to Uncontrolled Resource Consumption
75
High Risk
The MCP::Server::Transports::StreamableHTTPTransport reads the entire HTTP request body into a Ruby string and parses it with JSON.parse before any session validation, with no size or Content-Length limit and no bound on JSON nesting. An unauthenticated remote client can send a single oversized JSON-RPC POST that inflates the worker's memory many times over. This causes memory-exhaustion denial of service and can OOM-kill the worker. The fix caps request body reads via max_request_bytes and limits JSON nesting, rejecting oversized requests.
You are affected if you are using a version that falls within the vulnerable range and expose the Streamable HTTP transport to untrusted clients.
mcp is vulnerable to Uncontrolled Resource Consumption in versions 0.1.0 - 0.22.0.
Upgrade the mcp library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant