CVE-2025-53366 Overview
CVE-2025-53366 affects the Model Context Protocol (MCP) Python SDK, distributed as the mcp package on PyPI. A validation error in versions prior to 1.9.4 triggers an unhandled exception when the server processes malformed requests. The unhandled exception causes the MCP service to return HTTP 500 errors and remain unavailable until an operator manually restarts the process. The flaw is categorized under [CWE-248] Uncaught Exception. Remote attackers can send crafted requests over the network without authentication or user interaction. Version 1.9.4 of the mcp package contains the official fix.
Critical Impact
Unauthenticated remote attackers can force MCP Python SDK servers offline by submitting malformed requests, requiring manual restart to restore availability.
Affected Products
- MCP Python SDK (mcp on PyPI) versions prior to 1.9.4
- Applications embedding the Model Context Protocol Python SDK as a server component
- Deployments without infrastructure-level resilience such as auto-restart or health-check recovery
Discovery Timeline
- 2025-07-04 - CVE-2025-53366 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-53366
Vulnerability Analysis
The MCP Python SDK provides server and client primitives for the Model Context Protocol, which standardizes how large language model (LLM) applications exchange context. The server-side session handler in src/mcp/shared/session.py processes incoming JSON-RPC messages and dispatches them based on type. When a request fails Pydantic validation, the SDK previously raised an exception that propagated up the call stack without being caught by the session loop. The unhandled exception terminates the request-handling task and prevents the server from responding to subsequent traffic, producing HTTP 500 responses. Because the MCP server holds long-lived connections, a single malformed request can disrupt service for all connected clients. Operators must manually restart the affected process to restore functionality.
Root Cause
The root cause is missing exception handling around request validation in the shared session module. The SDK did not translate Pydantic ValidationError failures into structured JSON-RPC error responses such as INVALID_PARAMS. Instead, the exception bubbled out of the message dispatch loop and stopped the worker.
Attack Vector
An unauthenticated remote attacker sends a malformed MCP request to a publicly reachable server endpoint. The request must fail schema validation in a way that triggers the uncaught path. No privileges, user interaction, or prior knowledge of the deployment are required.
# Patch excerpt from src/mcp/shared/session.py
from mcp.shared.message import MessageMetadata, ServerMessageMetadata, SessionMessage
from mcp.types import (
CONNECTION_CLOSED,
+ INVALID_PARAMS,
CancelledNotification,
ClientNotification,
ClientRequest,
Source: GitHub Commit 29c69e6. The fix imports the INVALID_PARAMS error code and returns a proper JSON-RPC error to the client instead of allowing the exception to crash the session.
Detection Methods for CVE-2025-53366
Indicators of Compromise
- Repeated HTTP 500 responses from MCP server endpoints following malformed JSON-RPC payloads
- MCP server processes that stop accepting new requests without crashing or exiting
- Python tracebacks in application logs referencing pydantic.ValidationError from mcp/shared/session.py
- Unexpected service restarts of MCP-based applications recorded by orchestrators or process managers
Detection Strategies
- Inspect application logs for unhandled ValidationError exceptions originating in the mcp package on PyPI versions below 1.9.4
- Monitor the ratio of HTTP 500 responses to total requests on MCP endpoints and alert on sudden spikes
- Use software composition analysis to flag any deployed service that imports mcp at a version prior to 1.9.4
Monitoring Recommendations
- Configure liveness and readiness probes that detect frozen MCP worker tasks, not just process existence
- Aggregate JSON-RPC error responses by method name and source IP to surface probing behavior
- Track restart counts for MCP service containers and alert when restart frequency exceeds baseline
How to Mitigate CVE-2025-53366
Immediate Actions Required
- Upgrade the mcp PyPI package to version 1.9.4 or later across all environments hosting an MCP server
- Audit deployments to identify services that import the MCP Python SDK and confirm their pinned versions
- Restrict network exposure of MCP server endpoints to trusted clients while patching is in progress
Patch Information
The fix is published in mcp version 1.9.4 on PyPI. Technical details are available in GitHub Pull Request #822, the commit 29c69e6, and GitHub Security Advisory GHSA-3qhf-m339-9g5v. The patch catches validation errors and returns the INVALID_PARAMS JSON-RPC error instead of allowing the exception to escape the session loop.
Workarounds
- Run MCP servers under a supervisor such as systemd, supervisord, or Kubernetes with automatic restart on failure
- Place a reverse proxy or API gateway in front of MCP endpoints to filter requests that do not conform to expected schemas
- Apply rate limiting on MCP endpoints to slow repeated malformed-request attempts from a single source
# Upgrade the MCP Python SDK to a patched version
pip install --upgrade "mcp>=1.9.4"
# Verify the installed version
python -c "import mcp, importlib.metadata; print(importlib.metadata.version('mcp'))"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
