Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2025-53365

CVE-2025-53365:
MCP Python SDK has Unhandled Exception in Streamable HTTP Transport ,Leading to Denial of Service

8.7

CVSS Score

Basic Information

CVE ID
CVE-2025-53365
GHSA ID
GHSA-j975-95f5-7wqh
EPSS Score
-
CWE
CWE-248
Published
7/4/2025
Updated
7/4/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Package NameEcosystemVulnerable VersionsFirst Patched Version
mcppip< 1.10.01.10.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability analysis identified a critical flaw in the MCP Python SDK's server-side session management. The root cause of the Denial of Service is an unhandled anyio.ClosedResourceError exception within the mcp.shared.session.Session._receive_loop function. This function is responsible for processing incoming messages over a streamable HTTP connection.

When a client establishes a connection and then disconnects abruptly (e.g., by crashing or closing the connection without proper termination), the underlying anyio stream raises a ClosedResourceError. The vulnerable version of the _receive_loop function did not have an exception handler for this specific error. As a result, the exception would go uncaught, leading to the termination of the server's execution task and effectively crashing the server process.

The provided patch directly addresses this issue by wrapping the message-reading loop (async for message in self._read_stream:) inside a try...except block. The newly added except anyio.ClosedResourceError: block catches the specific exception, logs a debug message, and allows the server to continue running without crashing. This ensures that a misbehaving or crashing client cannot bring down the entire server, thus mitigating the Denial of Service vulnerability.

Vulnerable functions

mcp.shared.session.Session._receive_loop
src/mcp/shared/session.py
This asynchronous function continuously reads messages from a client stream. Prior to the patch, it lacked a handler for the `anyio.ClosedResourceError` exception. If a client disconnected abruptly, this error would be raised from the `self._read_stream`, and because it was unhandled, it would propagate up and crash the server's main task, causing a denial of service. The patch adds a specific `try...except` block to catch this error and handle it gracefully, preventing the server from crashing.

WAF Protection Rules

WAF Rule

I* * *li*nt **li**r*t*ly tri***rs *n *x**ption **t*r *st**lis*in* * str**m**l* *TTP s*ssion, t*is **n l*** to *n un**u**t *los**R*sour***rror on t** s*rv*r si**, **usin* t** s*rv*r to *r*s* *n* r*quirin* * r*st*rt to r*stor* s*rvi**. Imp**t m*y v*ry

Reasoning

T** vuln*r**ility *n*lysis i**nti*i** * *riti**l *l*w in t** M*P Pyt*on S*K's s*rv*r-si** s*ssion m*n***m*nt. T** root **us* o* t** **ni*l o* S*rvi** is *n un**n*l** `*nyio.*los**R*sour***rror` *x**ption wit*in t** `m*p.s**r**.s*ssion.S*ssion._r***iv