RubySec

Providing security resources for the Ruby community

GHSA-52jp-gj8w-j6xh (mcp): Unbounded session retention in StreamableHTTPTransport allows memory exhaustion via initialize flood

Unbounded session retention in StreamableHTTPTransport allows memory exhaustion via initialize flood

Published: July 07, 2026

SECURITY IDENTIFIERS

GEM

mcp

SEVERITY

CVSS v3.x: 5.3 (Medium)

PATCHED VERSIONS

>= 0.23.0

DESCRIPTION

Summary

In its default configuration, MCP::Server::Transports::StreamableHTTPTransport never expires sessions. Every successful initialize request stores a new ServerSession and a session record under a fresh UUID, and the only path that removes them is an explicit client-issued HTTP DELETE. An unauthenticated attacker can repeatedly initialize new sessions and immediately disconnect, forcing the server to retain an unbounded number of ServerSession objects until memory is exhausted.

RELATED