PYSEC-2026-2421

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/code-index-mcp/PYSEC-2026-2421.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2421
Aliases
Published
2026-07-13T15:46:14.203113Z
Modified
2026-07-13T16:32:36.198225724Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Code Index MCP is vulnerable to Uncontrolled Resource Consumption
Details

A weakness has been identified in johnhuang316 code-index-mcp up to 2.14.0. Affected is the function issaferegexpattern of the component searchcode_advanced. Executing a manipulation of the argument regex can lead to inefficient regular expression complexity. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.14.1 is able to address this issue. This patch is called 25bc02fac74051ddae15ce79e952f00211b1ea6b. Upgrading the affected component is recommended.

References

Affected packages

PyPI / code-index-mcp

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.14.1

Affected versions

0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.2.0
0.2.1
0.3.0
0.3.1
0.4.1
0.4.2
0.5.0
1.*
1.0.0
1.1.0
1.1.1
1.2.0
1.2.1
2.*
2.0.0
2.0.1
2.1.0
2.1.1
2.1.2
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.5.0
2.5.1
2.6.0
2.7.0
2.8.0
2.8.1
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.10.0
2.11.0
2.12.0
2.13.0
2.14.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/code-index-mcp/PYSEC-2026-2421.yaml"