chore(deps): update dependency @modelcontextprotocol/sdk to v1.24.0 [security]

[descope]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
@modelcontextprotocol/sdk (source)	dependencies	minor	1.15.1 -> 1.24.0

GitHub Vulnerability Alerts

CVE-2025-66414

The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled enableDnsRebindingProtection, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.

Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.

Servers created via createMcpExpressApp() now have this protection enabled by default when binding to localhost. Users with custom Express configurations are advised to update to version 1.24.0 and apply the exported hostHeaderValidation() middleware when running an unauthenticated server on localhost.

---

Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

CVE-2025-66414 / GHSA-w48q-cv73-mx4w

More information

Details

The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled enableDnsRebindingProtection, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.

Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.

Servers created via createMcpExpressApp() now have this protection enabled by default when binding to localhost. Users with custom Express configurations are advised to update to version 1.24.0 and apply the exported hostHeaderValidation() middleware when running an unauthenticated server on localhost.

Severity

• CVSS Score: 7.6 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-w48q-cv73-mx4w
• https://nvd.nist.gov/vuln/detail/CVE-2025-66414
• https://github.com/modelcontextprotocol/typescript-sdk/pull/1205
• https://github.com/modelcontextprotocol/typescript-sdk/commit/09623e2aa5044f9e9da62c73d820a8250b9d97ed
• https://github.com/modelcontextprotocol/typescript-sdk/commit/608360047dc6899f1cf4f0226eb62fe7b11b3898
• https://github.com/modelcontextprotocol/typescript-sdk

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.24.0

Compare Source

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

• fix: update spec links from latest to draft by @​domdomegg in #​1171
• Make sure to consume HTTP error response bodies by @​GreenStage in #​1173
• docs: add GET request handling for streamableHttp stateless mode by @​saharis9988 in #​1161
• SEP-1686: Tasks by @​LucaButBoring in #​1041
• Fix JSON parse error on SSE events with empty data by @​felixweinberger in #​1184
• Fix StreamableHTTPClientTransport instantiation by @​yuwzho in #​944
• feat: eslint rule to prefer node protocols by @​mattzcarey in #​1187
• fix: call tasks/result to deliver side-channel messages by @​felixweinberger in #​1185
• Add invalid_target oauth error (rfc 8707) by @​GreenStage in #​1183
• fix(client): use StreamableHTTPError instead of plain Error in send() by @​yamadashy in #​1178
• coerce 'expires_in' to be a number by @​adam-kuhn in #​1111
• Allow HTTP issuer URLs when MCP_DEV_MODE is enabled by @​jerome3o-anthropic in #​1189
• fix: update registerTool signature for proper typed ToolCallback by @​mattzcarey in #​1188
• SEP-1046: Client credentials flow for M2M without user interaction by @​KKonstantinov in #​1157
• adds the transitive @​types/express-serve-static-core dependency as a direct devDependency by @​mgyarmathy in #​1078
• Fix optional argument handling in prompts for Zod V4 by @​filip-bartuska-ipf in #​1199
• fix hanging stdio servers by @​mattzcarey in #​1200
• README refactor by @​KKonstantinov in #​1197
• [Docs] Fix typo by @​koic in #​1067
• feat: add closeSSEStream callback to RequestHandlerExtra by @​felixweinberger in #​1166
• fix: improve SSE reconnection behavior by @​felixweinberger in #​1191
• fix: normalize headers in sse transport by @​marcrasi in #​856
• feat: add closeStandaloneSSEStream for GET stream polling by @​felixweinberger in #​1203
• fix: normalize null to undefined in ElicitResultSchema content field by @​mattzcarey in #​1204
• Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. by @​jacopoc in #​1205
• fix: allow zod 4 transformations by @​mattzcarey in #​1213
• feat: backwards-compatible createMessage overloads for SEP-1577 by @​felixweinberger in #​1212
• chore: bump version for release by @​felixweinberger in #​1215

New Contributors

• @​GreenStage made their first contribution in #​1173
• @​saharis9988 made their first contribution in #​1161
• @​yuwzho made their first contribution in #​944
• @​yamadashy made their first contribution in #​1178
• @​adam-kuhn made their first contribution in #​1111
• @​mgyarmathy made their first contribution in #​1078
• @​filip-bartuska-ipf made their first contribution in #​1199
• @​koic made their first contribution in #​1067
• @​marcrasi made their first contribution in #​856
• @​jacopoc made their first contribution in #​1205

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.24.0

v1.23.1

Compare Source

Fixed:

• Disabled SSE priming events to fix backwards compatibility - 1.23.x clients crash on empty SSE data (JSON.parse(""))

This is a patch for servers still on 1.23.x that were breaking clients not handling the the 2025-11-25 priming event behavior with empty SSE data fields. See #​1233 for more details.

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.23.1

v1.23.0

Compare Source

What's Changed

• Migrate to vitest from jest by @​mattzcarey in #​1074
• ci: add workflow_dispatch trigger for manual CI runs by @​felixweinberger in #​1114
• Fix: @​types/node incompatibility with vite warnings on npm install by @​KKonstantinov in #​1121
• Fix: clean up accidental spec.types.ts by @​KKonstantinov in #​1122
• fix: Pass RequestInit options to auth requests by @​dsp-ant in #​1066
• SEP-1036: URL Elicitation by @​nbarbettini in #​1105
• add none to test and the router. by @​m-henderson in #​1116
• [auth] Adjust scope management to line up with SEP-835 by @​pcarleton in #​1133
• chore: add .idea/ to .gitignore by @​maxisbey in #​1134
• chore: remove unused @​types/eslint__js dependency by @​mattzcarey in #​1128
• feat: url based client metadata registration (SEP 991) by @​mattzcarey in #​1127
• feat: zod v4 with backwards compatibility for v3.25+ by @​dclark27 in #​1040
• fix: remove pnpm lock and regenerate package-lock by @​mattzcarey in #​1138
• docs: update installation instructions for zod peer dependency by @​mattzcarey in #​1139
• Implement SEP-1577 - Sampling With Tools by @​ochafik in #​1101
• Follow up: unify v3 and v4 zod types via describe matrix and a test helper by @​KKonstantinov in #​1141
• chore: Add deprecated marker to old elicitInput overload by @​nbarbettini in #​1142
• fix: Connect error in URL elicitation example by @​nbarbettini in #​1136
• Support upscoping on insufficient_scope 403 by @​Nayana-Parameswarappa in #​1115
• Support beta releases by publishing with --tag beta by @​felixweinberger in #​1146
• Bump version to 1.23.0-beta.0 by @​felixweinberger in #​1147
• SEP-1613: use.catchall() on inputSchema/outputSchema to support JSON Schema 2020-12 by @​felixweinberger in #​1135
• sampling: validate tools, tool_use, tool_result constraints by @​ochafik in #​1156
• fix: React to upstream RC schema changes for form mode elicitation requests by @​felixweinberger in #​1164
• feat: implement SEP-1699 SSE polling via server-side disconnect by @​felixweinberger in #​1129
• chore: bump package number for release by @​felixweinberger in #​1170

New Contributors

• @​nbarbettini made their first contribution in #​1105
• @​m-henderson made their first contribution in #​1116
• @​maxisbey made their first contribution in #​1134
• @​dclark27 made their first contribution in #​1040
• @​Nayana-Parameswarappa made their first contribution in #​1115

Full Changelog: modelcontextprotocol/typescript-sdk@1.22.0...1.23.0

v1.22.0

Compare Source

What's Changed

• registerTool: accept ZodType for input and output schema by @​ksinder in #​816
• SEP-1319: Decouple Request Payloads, Remove passthrough iteration, Typecheck fixes by @​KKonstantinov in #​1086
• add pkg-pr-new bot by @​pcarleton in #​1088
• Upgrade to Node LTS by @​mattzcarey in #​1072
• change step name by @​pcarleton in #​1089
• SEP-1034: Default values for Elicitation Schemas by @​KKonstantinov in #​1096
• SEP-1330: Compatibility with SEP-1034 by @​KKonstantinov in #​1100
• Implementation of SEP-986: Specify Format for Tool Names by @​kentcdodds in #​900
• [auth] Fix march spec fallback for metadata discovery by @​pcarleton in #​1108
• chore: bump version for release by @​felixweinberger in #​1110

New Contributors

• @​ksinder made their first contribution in #​816

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.1...1.22.0

v1.21.2

Compare Source

What's changed

This is a patch release for a regression highlighted by #​1103

This patch contains only the cherry picked fix in #​1108

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.1...1.21.2

v1.21.1

Compare Source

What's Changed

• Only use path-based discovery URLs from the authorization server to discover metadata by @​roadmapper in #​1070
• Add @​deprecated annotations to legacy APIs by @​domdomegg in #​1018
• fix: Support WWW-Authenticate scope param for SEP-835 by @​chipgpt in #​983
• move CLI script to dedicated scripts directory by @​mattzcarey in #​1073
• Check script which typechecks using Typescripts new Go port by @​mattzcarey in #​1075
• FIX: use a nightly spec.types.ts by @​mattzcarey in #​1087
• chore: bump version for release by @​felixweinberger in #​1085

New Contributors

• @​roadmapper made their first contribution in #​1070

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.0...1.21.1

v1.21.0

Compare Source

What's Changed

• feat: pluggable JSON schema validator providers by @​mattzcarey in #​1012
• Update metadata.ts by @​pcarleton in #​1010
• fix: Prefer the token_endpoint_auth_method response from DCR registration by @​chipgpt in #​1022
• Fix: Non-existent tool, disabled tool and inputSchema validation return MCP protocol level instead of CallToolResult with isError: true by @​KKonstantinov in #​1044
• chore: bump version to 1.21.0 for release by @​felixweinberger in #​1062

New Contributors

• @​chipgpt made their first contribution in #​1022

Full Changelog: modelcontextprotocol/typescript-sdk@1.20.2...1.21.0

v1.20.2

Compare Source

What's Changed

• fix: Zod to JSONSchema pipe strategies by @​pierreliefauche in #​962
• chore: bump version for weekly release by @​felixweinberger in #​1042

New Contributors

• @​pierreliefauche made their first contribution in #​962

Full Changelog: modelcontextprotocol/typescript-sdk@1.20.1...1.20.2

v1.20.1

Compare Source

What's Changed

• fix: Add Accept header to auth metadata request by @​SVLaursen in #​901
• Allow empty string as valid URL in DCR workflow by @​fredericbarthelet in #​987
• docs: fix summary contents at readme by @​starfish719 in #​1025
• chore: bump version to 1.20.1 for release by @​felixweinberger in #​1032

New Contributors

• @​SVLaursen made their first contribution in #​901
• @​starfish719 made their first contribution in #​1025

Full Changelog: modelcontextprotocol/typescript-sdk@1.20.0...1.20.1

v1.20.0

Compare Source

What's Changed

• docs: improve main README with better quick start, include examples of stateless HTTP, explain tools v resources v prompts by @​domdomegg in #​980
• chore: add lint:fix script by @​mattzcarey in #​1013
• Default to S256 code challenge if not specified in authorization server metadata by @​LucaButBoring in #​992

New Contributors 🙏

• @​mattzcarey made their first contribution in #​1013

Full Changelog: modelcontextprotocol/typescript-sdk@1.19.0...1.20.0

v1.19.1

Compare Source

v1.18.2

Compare Source

What's Changed

• Updates the sampling code example in the README by @​viniciuscsouza in #​958
• Use redirect Uri passed in in demoInMemoryOAuthProvider by @​TylerLeonhardt in #​931
• fix(auth-router): correct Protected Resource Metadata for pathful RS and add explicit resourceServerUrl (RFC 9728) by @​blustAI in #​858
• chore: update version to 1.18.2 for weekly release by @​felixweinberger in #​970

New Contributors

• @​viniciuscsouza made their first contribution in #​958
• @​TylerLeonhardt made their first contribution in #​931
• @​blustAI made their first contribution in #​858

Full Changelog: modelcontextprotocol/typescript-sdk@1.18.1...1.18.2

v1.18.1

Compare Source

What's Changed

• fix: prevent streamable http wite after end from crashing the node process by @​MQ37 in #​933
• chore: update version to 1.18.1 for weekly release by @​felixweinberger in #​950

New Contributors

• @​MQ37 made their first contribution in #​933

Full Changelog: modelcontextprotocol/typescript-sdk@1.18.0...1.18.1

v1.18.0

Compare Source

What's Changed

• mcp: update SDK for SEP 973 + add to example server by @​jesselumarie in #​904
• feat: add _meta field support to tool definitions by @​knguyen-figma in #​922
• Fix automatic log level handling for sessionless connections by @​cliffhall in #​917
• 1.17.6 by @​ihrpr in #​936
• 1.18.0 by @​ihrpr in #​937
• ignore icons for now by @​ihrpr in #​938

New Contributors

• @​jesselumarie made their first contribution in #​904
• @​knguyen-figma made their first contribution in #​922

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.5...1.18.0

v1.17.5

Compare Source

What's Changed

• Automatic handling of logging level by @​cliffhall in #​882
• Fix the SDK vs Spec types test that is breaking CI by @​cliffhall in #​908

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.4...1.17.5

v1.17.4

Compare Source

What's Changed

• feature(middleware): Composable fetch middleware for auth and cross‑cutting concerns by @​m-paternostro in #​485
• restrict url schemes allowed in oauth metadata by @​pcarleton in #​877
• [auth] OAuth protected-resource-metadata: fallback on 4xx not just 404 by @​pcarleton in #​879
• chore: bump version to 1.17.4 by @​felixweinberger in #​894

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.3...1.17.4

v1.17.3

Compare Source

What's Changed

• Fix quit command in Example client with OAuth by @​DaleSeo in #​864
• fix: client import & server imports by @​jatinsandilya in #​851
• fix: pass fetchfn parameter to registerClient and refreshAuthorizatio… by @​arjunkmrm in #​850
• docs: correct parameter schema key in Dynamic Servers documentation by @​bianbianzhu in #​789
• version: patch to 0.17.3 by @​felixweinberger in #​878

New Contributors

• @​DaleSeo made their first contribution in #​864
• @​jatinsandilya made their first contribution in #​851
• @​arjunkmrm made their first contribution in #​850
• @​bianbianzhu made their first contribution in #​789

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.2...1.17.3

v1.17.2

Compare Source

What's Changed

• fix: retry next endpoint on CORS error during auth server discovery by @​xiaoyijun in #​827

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.1...1.17.2

v1.17.1

Compare Source

What's Changed

• (fix): Update fallbackRequestHandler type to match _requestHandlers leaves type by @​fredericbarthelet in #​784
• fix: prevent responses being sent to wrong client when multiple transports connect by @​grimmerk in #​820
• 1.17.1 by @​ihrpr in #​831

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.0...1.17.1

v1.17.0

Compare Source

What's Changed

• Add CODEOWNERS file for sdk by @​ihrpr in #​781
• Add more robust base64 check by @​cliffhall in #​786
• update codeowners by @​ihrpr in #​803
• Fix indent by @​jiec-msft in #​807
• fix: Explicitly declare accpet type to json when exchanging oauth token by @​JoJoJoJoJoJoJo in #​801
• feat: support oidc discovery in client sdk by @​xiaoyijun in #​652
• fix: remove extraneous code block in README.md by @​sd0ric4 in #​791
• Bump form-data from 4.0.2 to 4.0.4 in the npm_and_yarn group across 1 directory by @​dependabot[bot] in #​798
• Bump version 1.17.0 by @​ihrpr in #​810

New Contributors 🙏

• @​jiec-msft made their first contribution in #​807
• @​sd0ric4 made their first contribution in #​791

Full Changelog: modelcontextprotocol/typescript-sdk@1.16.0...1.17.0

v1.16.0

Compare Source

What's Changed

• Add type compatibility test between SDK and spec types by @​ochafik in #​729
• Add OIDC ID token support by @​dankelleher in #​680
• Add prompt=consent for OIDC offline_access scope by @​dankelleher in #​681
• Non-critical: Readme syntax and typographical error fixes by @​freakynit in #​765
• make client side client_id generation configurable in the oauth router by @​cdaguerre in #​734
• Adding invalidateCredentials() to OAuthClientProvider by @​geelen in #​570
• fix: use authorization_server_url as issuer when fetching metadata by @​JoJoJoJoJoJoJo in #​763
• feat(protocol): Debounce notifications to improve network efficiancy by @​jneums in #​746
• fix(731): StreamableHTTPClientTransport Fails to Reconnect on Non-Resumable Streams by @​jneums in #​732
• fix: consistently use consumer-provided fetch function by @​LucaButBoring in #​767
• fix client id issuance date should only be sent when generated by @​cdaguerre in #​775
• 1.16.0 by @​ihrpr in #​779

New Contributors 🙏

• @​dankelleher made their first contribution in #​680
• @​freakynit made their first contribution in #​765
• @​cdaguerre made their first contribution in #​734
• @​JoJoJoJoJoJoJo made their first contribution in #​763
• @​jneums made their first contribution in #​746
• @​LucaButBoring made their first contribution in #​767

Full Changelog: modelcontextprotocol/typescript-sdk@1.15.1...1.16.0

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Jerusalem, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[descope]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[omercnet]

@shuni fix it

[shuni-bot]

🐕 Done! Updated PR: #135

View workflow run

📋 Actions Taken

View AI response

Perfect! Let me create a summary of what was done:

Summary

I've successfully fixed the security vulnerability by updating the @modelcontextprotocol/sdk dependency from version 1.15.1 to 1.24.0. Here's what was done:

Changes Made

1. Updated package.json: Changed @modelcontextprotocol/sdk from ^1.15.1 to ^1.24.0
2. Updated pnpm-lock.yaml: Ran pnpm install --no-frozen-lockfile to update the lockfile with the new dependency version and all its transitive dependencies

Security Fix Details

The update addresses CVE-2025-66414 (CVSS Score: 7.6 / 10 - High severity):

• Issue: DNS rebinding vulnerability in HTTP-based MCP servers
• Impact: When an HTTP-based MCP server runs on localhost without authentication, a malicious website could exploit DNS rebinding to bypass same-origin policy and access local MCP server resources
• Fix: Version 1.24.0 enables DNS rebinding protection by default when binding to localhost in createMcpExpressApp() and provides hostHeaderValidation() middleware for custom Express configurations

Build Status

✅ Build: Successful - Project compiles without errors
✅ Tests: 54 out of 55 tests pass (1 pre-existing test failure unrelated to SDK update)
✅ Dependencies: All dependencies installed and compatible

Notes

• The failing test (should throw error when projectId is missing) is a pre-existing issue in the test suite where an environment variable (DESCOPE_PROJECT_ID) interferes with the test. This is unrelated to the SDK update.
• Some linting and formatting issues in src/utils.ts are from a previous "fix" commit and are not related to this security update.
• The codebase doesn't use createMcpExpressApp(), but still benefits from the security patches included in the SDK update.

The security vulnerability has been resolved, and the codebase is ready for the CI pipeline to handle the git operations.

[omercnet]

@shuni fix lint

[shuni-bot]

🐕 Uh oh! I ran into an error.

View failed run

Please check the logs for details.

[omercnet]

@shuni fix lint

[shuni-bot]

🐕 Uh oh! I ran into an error.

View failed run

Please check the logs for details.

[omercnet]

@shuni fix lint

[shuni-bot]

🐕 Uh oh! I ran into an error.

View failed run

Please check the logs for details.