CVE-2026-25536 @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse [v20-lts]

[timvandenhof]

Command

version

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

CVE-2026-25536: @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse

Severity: high (7.1/10)
Package: @modelcontextprotocol/sdk (npm)
Affected versions: >= 1.10.0, <= 1.25.3
Patched versions: 1.26.0

See the CVE-2026-25536 for details. It affects v20-lts, seems to be already patched in 21.1.3 and seems to need a backport (or NPM override as a workaround).

Minimal Reproduction

Install v20-lts version 20.3.15 and run npm audit.

Exception or Error

Your Environment

Angular CLI: 20.3.15
Node: 22.16.0
Package Manager: npm 10.9.2
OS: darwin arm64
    

Angular: 20.3.16
... animations, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package                            Version
------------------------------------------
@angular-devkit/architect          0.2003.15
@angular-devkit/build-angular      20.3.15
@angular-devkit/core               20.3.15
@angular-devkit/schematics         20.3.15
@angular/cdk                       20.2.14
@angular/cli                       20.3.15
@angular/material                  20.2.14
@angular/material-moment-adapter   20.2.14
@schematics/angular                20.3.15
rxjs                               7.8.2
typescript                         5.8.3
zone.js                            0.15.1

Anything else relevant?

No response