Skip to content

CVE-2025-66414 - @modelcontextprotocol/sdk #32004

New issue
New issue
Closed
Bug
#32009
Closed
CVE-2025-66414 - @modelcontextprotocol/sdk#32004
Bug
#32009
Assignees
alan-agius4
Labels
area: @angular/clifreq1: lowOnly reported by a handful of users who observe it rarelyseverity6: securitytype: bug/fix
@deleonio

Description

@deleonio
deleonio
opened on Dec 3, 2025

Command

version

Is this a regression?

  • Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Security Vulnerability Report

High Severity: DNS Rebinding Protection Disabled by Default

Package: @modelcontextprotocol/sdk

Issue: Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

Vulnerable versions: <1.24.0

Patched versions: >=1.24.0

Dependency Path:

packages__samples__angular > @angular/cli > @modelcontextprotocol/sdk

More information: [GitHub Advisory GHSA-w48q-cv73-mx4w](GHSA-w48q-cv73-mx4w)

Recommended Action

Update @modelcontextprotocol/sdk to version 1.24.0 or later to resolve this vulnerability.

Minimal Reproduction

pnpm audit

Exception or Error

Your Environment

-

Anything else relevant?

No response

Metadata

Metadata

Assignees

Labels

area: @angular/clifreq1: lowOnly reported by a handful of users who observe it rarelyseverity6: securitytype: bug/fix

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions