chore(deps): update dependency @modelcontextprotocol/sdk to v1.25.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@modelcontextprotocol/sdk (source)	1.25.1 → 1.25.2

GitHub Vulnerability Alerts

CVE-2026-0621

Impact

A ReDoS vulnerability in the UriTemplate class allows attackers to cause denial of service. The partToRegExp() function generates a regex pattern with nested quantifiers (([^/]+(?:,[^/]+)*)) for exploded template variables (e.g., {/id*}, {?tags*}), causing catastrophic backtracking on malicious input.

Who is affected: MCP servers that register resource templates with exploded array patterns and accept requests from untrusted clients.

Attack result: An attacker sends a crafted URI via resources/read request, causing 100% CPU utilization, server hang/crash, and denial of service for all clients.

Affected Versions

All versions of @modelcontextprotocol/sdk prior to the patched release.

Patches

v1.25.2 contains b392f02ffcf37c088dbd114fedf25026ec3913d3 the fix modifies the regex pattern to prevent backtracking.

Workarounds

• Avoid using exploded patterns ({/id*}, {?tags*}) in resource templates
• Implement request timeouts and rate limiting
• Validate URIs before processing to reject suspicious patterns

---

Release Notes

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.25.2

Compare Source

What's Changed

• ci: trigger workflow on v1.x branch by @​felixweinberger in #​1319
• fix: README badges links destinations by @​antonpk1 in #​907
• fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @​pcarleton in #​1365

New Contributors

• @​antonpk1 made their first contribution in #​907

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.1...v1.25.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for rsdoctor ready!

Name	Link
🔨 Latest commit	70a4bd8
🔍 Latest deploy log	https://app.netlify.com/projects/rsdoctor/deploys/695ea4519837d000081dafec
😎 Deploy Preview	https://deploy-preview-1472--rsdoctor.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.