Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-53365

Опубликовано: 04 июл. 2025
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.10.0, if a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the server side, causing the server to crash and requiring a restart to restore service. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.10.0 contains a patch for the issue.

A flaw was found in MCP. The mcp Python SDK exhibits an uncaught exception when a client intentionally triggers an error following the establishment of a streamable HTTP session. This condition allows a remote attacker to cause a program crash. The vulnerability stems from a lack of exception handling during the session lifecycle.

Отчет

The severity of this vulnerability is rated Moderate, as it does not impact system availability. The effects are confined to the application layer without compromising the underlying system stability.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Lightspeedopenshift-lightspeed/lightspeed-service-api-rhel9Affected

Показывать по

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-248
https://bugzilla.redhat.com/show_bug.cgi?id=2376486mcp: MCP Server Crash via ClosedResourceError

EPSS

Процентиль: 18%
0.00057
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

nvd
около 1 месяца назад

The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.10.0, if a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the server side, causing the server to crash and requiring a restart to restore service. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.10.0 contains a patch for the issue.

github
около 1 месяца назад

MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to Denial of Service

EPSS

Процентиль: 18%
0.00057
Низкий

5.3 Medium

CVSS3