Last 12 weeks · 13 commits
1 of 6 standards met
Repository: vercel/next-devtools-mcp. Description: Next.js Development for Coding Agent Stars: 655, Forks: 45. Primary language: TypeScript. Languages: TypeScript (89.8%), JavaScript (10.2%). Homepage: https://www.npmjs.com/package/next-devtools-mcp Topics: coding-agents, mcp, mcp-server, next-devtools, nextjs. Latest release: v0.3.10 (1mo ago). Open PRs: 3, open issues: 6. Last activity: 2w ago. Community health: 37%. Top contributors: huozhi, gaojude, vercel-release-bot, andrelandgraf, quuu, ctate, Burry, icyJoseph, M1ngY, MapleCity1314 and others.
TypeScript
Dependency security risk - Anthropic's MCP TypeScript SDK has a ReDoS vulnerability @modelcontextprotocol/sdk < v1.25.2 affected patched version v1.25.2 and higher Impact A ReDoS vulnerability in the UriTemplate class allows attackers to cause denial of service. The partToRegExp() function generates a regex pattern with nested quantifiers (([^/]+(?:,[^/]+))) for exploded template variables (e.g., {/id}, {?tags}), causing catastrophic backtracking on malicious input. Who is affected: MCP servers that register resource templates with exploded array patterns and accept requests from untrusted clients. Attack result: An attacker sends a crafted URI via resources/read request, causing 100% CPU utilization, server hang/crash, and denial of service for all clients. Affected Versions All versions of @modelcontextprotocol/sdk prior to the patched release. Patches v1.25.2 contains b392f02ffcf37c088dbd114fedf25026ec3913d3 the fix modifies the regex pattern to prevent backtracking. Workarounds Avoid using exploded patterns ({/id}, {?tags*}) in resource templates Implement request timeouts and rate limiting Validate URIs before processing to reject suspicious patterns
Add quick install option in Getting Started Testing not run (docs change)