—
PYSEC-2026-1618
MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to Denial of Service
Details
If a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the server side, causing the server to crash and requiring a restart to restore service. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures.
Thank you to Rich Harang for reporting this issue.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-j975-95f5-7wqh [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-53365 [ADVISORY]
- https://github.com/modelcontextprotocol/python-sdk/pull/967 [WEB]
- https://github.com/modelcontextprotocol/python-sdk/commit/7b420656de48cfdb90b39eb582e60b6d55c2f891 [WEB]
- https://github.com/modelcontextprotocol/python-sdk [PACKAGE]
- https://github.com/modelcontextprotocol/python-sdk/releases/tag/v1.10.0 [WEB]
- https://pypi.org/project/mcp [PACKAGE]
- https://github.com/advisories/GHSA-j975-95f5-7wqh [ADVISORY]