Resource exhaustion in Quantgeekdev Mcp-framework

CVE-2026-39313

mcp-framework is a framework for building Model Context Protocol (MCP) servers. In versions 0.2.21 and below, the readRequestBody() function in the HTTP transport concatenates request body chunks into a string with no size limit. Although…

EPSS: 0.001 (20.9th percentile) — read the EPSS interpretation.

Affected products

Quantgeekdev Mcp-framework — versions < 0.2.22

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/QuantGeekDev/mcp-framework/security/advisories/GHSA-353c-v8x9-v7c3 (x_refsource_CONFIRM)
https://github.com/QuantGeekDev/mcp-framework/commit/f97d2bb76d6359faf10cd1fc54b4911476b62524 (x_refsource_MISC)