Inefficient Regular Expression Complexity

Summary

Anthropic's MCP TypeScript SDK versions through 1.25.1 contain a Regular Expression Denial-of-Service (ReDoS) vulnerability in the "UriTemplate" class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a Denial-of-Service (DoS).