Critical · Denial-of-service

CVE-2026-39313

mcp-framework versions <= 0.2.21 do not enforce a maximum message size on inbound JSON-RPC payloads. A single large request can exhaust heap memory and take a production MCP server offline.

What is it?

mcp-framework is a popular TypeScript implementation of Anthropic's Model Context Protocol. Prior to 0.2.22, the HTTP transport reads the full request body into memory before validating its shape. Versions up to and including 0.2.21 have no cap on this read. An unauthenticated client can POST a multi-megabyte JSON body and trigger one of:

Heap exhaustion → Node process crash
Event-loop starvation → all other inbound requests hang
Container restart storms if the MCP server is behind a k8s liveness probe

Source: thehackerwire.com/vulnerability/CVE-2026-39313 · related Anthropic MCP SDK arbitrary-command-execution disclosure published by OX Security.

Who is affected?

Anyone running mcp-framework at or below 0.2.21 — check with npm ls mcp-framework
Any MCP server fronted by HTTP transport without a reverse-proxy body-size limit (nginx client_max_body_size, Cloudflare proxy, AWS ALB)
Self-hosted MCP servers exposed on the public internet — internal servers are at lower risk but still vulnerable to insiders

How Shield detects it

Two non-destructive checks run on any target you paste into the MCP scanner:

Fetch the server's /.well-known/mcp, /version, and root path. Parse any Server header or response body for an mcp-framework version banner. Compare to 0.2.21.
POST a 1KB benign JSON body (safe probe). If the server accepts it without returning 413 Payload Too Large at a configured cap, Shield emits a high-severity finding noting that maxMessageSize is not enforced at the transport layer.

Shield never sends malicious payloads. The probe is gentle and self-limiting.

How to fix

1. Upgrade the library

npm install mcp-framework@^0.2.22
# or: pnpm up mcp-framework
# verify:
npm ls mcp-framework

2. Enforce maxMessageSize explicitly

import { Server } from 'mcp-framework';

new Server({
  // fail-closed: reject anything over 256KB
  maxMessageSize: 256 * 1024,
});

3. Add a reverse-proxy cap (defense in depth)

# nginx
client_max_body_size 512k;

# Caddy
request_body {
  max_size 512KB
}

4. Rate-limit by IP

Even with a body cap, an attacker can still spam. Put the MCP server behind express-rate-limit, nginx limit_req, or Cloudflare Rate Limiting Rules. 60 req/min/IP is a reasonable default.

Verify the fix

Re-run the Shield MCP scan after deploying. A clean result shows:

Banner reports mcp-framework >= 0.2.22
413 returned on 1KB+ bodies when maxMessageSize is low, OR confirmed upgrade in dependency manifest
No CRITICAL or HIGH findings in the MCP group

Scan your MCP server → Scan your package.json → Shield SDK