mcp is vulnerable to Uncontrolled Resource Consumption
62
Medium Risk
The stdio transports in MCP::Server::Transports::StdioTransport and MCP::Client::Stdio read newline-delimited JSON-RPC frames with IO#gets and no limit argument. A peer that streams bytes without emitting a newline forces gets to accumulate the entire stream in a single Ruby string until the process is OOM-killed. This yields a memory-exhaustion denial of service driven by the stdio peer, and is most impactful when the peer is sandboxed or bytes are bridged from a remote source. The fix caps frame reads with a configurable max_line_bytes and closes the connection on over-limit frames.
You are affected if you are using a version that falls within the vulnerable range and use the stdio transport to read frames from a peer you do not fully trust.
mcp is vulnerable to Uncontrolled Resource Consumption in versions 0.1.0 - 0.22.0.
Upgrade the mcp library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant