Skip to content

Fix CVE-2026-4926: upgrade @modelcontextprotocol/sdk to 1.29.0#21

Merged
mattpodwysocki merged 1 commit intomainfrom
fix/cve-2026-4926-path-to-regexp
Apr 1, 2026
Merged

Fix CVE-2026-4926: upgrade @modelcontextprotocol/sdk to 1.29.0#21
mattpodwysocki merged 1 commit intomainfrom
fix/cve-2026-4926-path-to-regexp

Conversation

@mattpodwysocki
Copy link
Copy Markdown
Contributor

@mattpodwysocki mattpodwysocki commented Apr 1, 2026

Summary

Fixes CVE-2026-4926 (GHSA-j3q9-mxjg-w52f) — ReDoS in path-to-regexp < 8.4.0, pulled in transitively via @modelcontextprotocol/sdk → express → router → path-to-regexp@8.3.0.

Upgrading the SDK to 1.29.0 resolves path-to-regexp to 8.4.1.

🤖 Generated with Claude Code

@mattpodwysocki @claude
Fix CVE-2026-4926: upgrade @modelcontextprotocol/sdk to 1.29.0
4bf214c 
path-to-regexp < 8.4.0 has a ReDoS vulnerability (GHSA-j3q9-mxjg-w52f)
pulled in transitively via:
@modelcontextprotocol/sdk -> express -> router -> path-to-regexp@8.3.0

Upgrading the SDK to 1.29.0 resolves path-to-regexp to 8.4.1.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@mattpodwysocki mattpodwysocki requested a review from a team as a code owner April 1, 2026 17:59
@mattpodwysocki mattpodwysocki merged commit a1f56a2 into main Apr 1, 2026
2 checks passed
@mattpodwysocki mattpodwysocki deleted the fix/cve-2026-4926-path-to-regexp branch April 1, 2026 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianshward ianshward ianshward approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mattpodwysocki @ianshward