next-devtools-mcp

Dependency security risk - Anthropic's MCP TypeScript SDK has a ReDoS vulnerability @modelcontextprotocol/sdk < v1.25.2 affected patched version v1.25.2 and higher Impact A ReDoS vulnerability in the UriTemplate class allows attackers to cause denial of service. The partToRegExp() function generates a regex pattern with nested quantifiers (([^/]+(?:,[^/]+))) for exploded template variables (e.g., {/id}, {?tags}), causing catastrophic backtracking on malicious input. Who is affected: MCP servers that register resource templates with exploded array patterns and accept requests from untrusted clients. Attack result: An attacker sends a crafted URI via resources/read request, causing 100% CPU utilization, server hang/crash, and denial of service for all clients. Affected Versions All versions of @modelcontextprotocol/sdk prior to the patched release. Patches v1.25.2 contains b392f02ffcf37c088dbd114fedf25026ec3913d3 the fix modifies the regex pattern to prevent backtracking. Workarounds Avoid using exploded patterns ({/id}, {?tags*}) in resource templates Implement request timeouts and rate limiting Validate URIs before processing to reject suspicious patterns

Summary Closes #120 by removing the hard pin on and upgrading to a patched semver range. Changes : -> importer specifier updated to resolved version now Validation (38 passing)