CVE-2025-66414 - @modelcontextprotocol/sdk

[deleonio]

Command

version

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Security Vulnerability Report

High Severity: DNS Rebinding Protection Disabled by Default

Package: @modelcontextprotocol/sdk

Issue: Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

Vulnerable versions: <1.24.0

Patched versions: >=1.24.0

Dependency Path:

packages__samples__angular > @angular/cli > @modelcontextprotocol/sdk

More information: [GitHub Advisory GHSA-w48q-cv73-mx4w](GHSA-w48q-cv73-mx4w)

---

Recommended Action

Update @modelcontextprotocol/sdk to version 1.24.0 or later to resolve this vulnerability.

Minimal Reproduction

pnpm audit

Exception or Error

Your Environment

-

Anything else relevant?

No response

[jpmartins-ca]

Confirmed also have the issue using latest angular-cli 21.0.1, impacting angular project with angular-cli version > 20.0.6.

In theory just updating from "1.20.1" to latest "1.24.1" in
https://github.com/angular/angular-cli/blob/21.0.1/packages/angular/cli/package.json#L30
wont cause any breaking change, and according to linked advisory it should fix it.