CVE-2025-53366
published 2025-07-04CVE-2025-53366: The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.9.4, a validation error in the MCP…
PriorityP354high8.7CVSS 4.0
AVNACLATNPRNUINVCNVINVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
5.69%
92.0th percentile
The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.9.4, a validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 errors) until manually restarted. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.9.4 contains a patch for the issue.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| modelcontextprotocol | python-sdk | < 1.9.4 | 1.9.4 |
CVSS provenance
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MCP Python SDK vulnerability in the FastMCP Server causes validation error, leading to DoS
ghsa·2025-07-04
CVE-2025-53366 [HIGH] CWE-248 MCP Python SDK vulnerability in the FastMCP Server causes validation error, leading to DoS
MCP Python SDK vulnerability in the FastMCP Server causes validation error, leading to DoS
A validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 errors) until manually restarted. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures.
Thank you to Rich Harang for reporting this issue.
OSV
MCP Python SDK vulnerability in the FastMCP Server causes validation error, leading to DoS
osv·2025-07-04
CVE-2025-53366 [HIGH] MCP Python SDK vulnerability in the FastMCP Server causes validation error, leading to DoS
MCP Python SDK vulnerability in the FastMCP Server causes validation error, leading to DoS
A validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 errors) until manually restarted. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures.
Thank you to Rich Harang for reporting this issue.
Red Hat
mcp: MCP SDK Denial of Service Vulnerability
vendor_redhat·2025-07-04·CVSS 8.7
CVE-2025-53366 [HIGH] CWE-248 mcp: MCP SDK Denial of Service Vulnerability
mcp: MCP SDK Denial of Service Vulnerability
The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.9.4, a validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 errors) until manually restarted. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.9.4 contains a patch for the issue.
A flaw was found in MCP. The MCP Python SDK contains a validation error that leads to an unhandled exception when processing malformed requests. This flaw allows a remote attacker to trigger this condition by sending a crafted request, resulting in an application-level service interru
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-04
Published