RubySec

Providing security resources for the Ruby community

GHSA-h669-8m4g-r2hc (mcp): Unbounded JSON-RPC request body causes uncontrolled memory allocation in StreamableHTTPTransport

Unbounded JSON-RPC request body causes uncontrolled memory allocation in StreamableHTTPTransport

Published: July 07, 2026

SECURITY IDENTIFIERS

GEM

mcp

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

>= 0.23.0

DESCRIPTION

Summary

An unauthenticated remote attacker can force any MCP Ruby SDK server using MCP::Server::Transports::StreamableHTTPTransport to allocate gigabytes of memory by sending a single oversized JSON-RPC POST. The transport reads the entire HTTP body into a Ruby String and parses it with JSON.parse(body, symbolize_names: true) with no size limit, no Content-Length pre-check, and no streaming parser, allowing trivial denial of service against the worker process.

RELATED