Intel

AIKIDO-2026-959725

mcp is vulnerable to Uncontrolled Resource Consumption

Uncontrolled Resource ConsumptionGHSA-7683-3w9x-ch42 Published Today

62

Medium Risk

This Affects:

RUBYmcp
0.1.0 - 0.22.0
Fixed in 0.23.0
Are you affected? Scan for Free

TL;DR

The stdio transports in MCP::Server::Transports::StdioTransport and MCP::Client::Stdio read newline-delimited JSON-RPC frames with IO#gets and no limit argument. A peer that streams bytes without emitting a newline forces gets to accumulate the entire stream in a single Ruby string until the process is OOM-killed. This yields a memory-exhaustion denial of service driven by the stdio peer, and is most impactful when the peer is sandboxed or bytes are bridged from a remote source. The fix caps frame reads with a configurable max_line_bytes and closes the connection on over-limit frames.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and use the stdio transport to read frames from a peer you do not fully trust.

Background info

mcp is vulnerable to Uncontrolled Resource Consumption in versions 0.1.0 - 0.22.0.

How to fix this

Upgrade the mcp library to the patch version.