Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN421 _____________________________________________________________________ DATE : 08/07/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running mcp versions prior to 1.10.0. ===================================================================== https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-3qhf-m339-9g5v https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-j975-95f5-7wqh _____________________________________________________________________ MCP SDK FastMCP Server Validation Error Leading to Denial of Service High jenn-newton published GHSA-3qhf-m339-9g5v Jul 4, 2025 Package mcp (pip) Affected versions < 1.9.4 Patched versions 1.9.4 Description A validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 errors) until manually restarted. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. #822 Thank you to Rich Harang for reporting this issue. Severity High 8.7/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability High Subsequent System Impact Metrics Confidentiality None Integrity None Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE ID CVE-2025-53366 Weaknesses No CWEs Credits @rharang rharang Reporter _____________________________________________________________________ Unhandled Exception in Streamable HTTP Transport Leading to Denial of Service High jenn-newton published GHSA-j975-95f5-7wqh Jul 4, 2025 Package mcp (pip) Affected versions < 1.10.0 Patched versions 1.10.0 Description If a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the server side, causing the server to crash and requiring a restart to restore service. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. #967 Thank you to Rich Harang for reporting this issue. Severity High 8.7/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability High Subsequent System Impact Metrics Confidentiality None Integrity None Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE ID CVE-2025-53365 Weaknesses No CWEs Credits @rharang rharang Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================