{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"python-mcp security update", "category":"general", "title":"Synopsis" }, { "text":"An update for python-mcp is now available for openEuler-24.03-LTS-SP3", "category":"general", "title":"Summary" }, { "text":"The official Python SDK for Model Context Protocol servers and clients\n\nSecurity Fix(es):\n\nThe MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.10.0, if a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the server side, causing the server to crash and requiring a restart to restore service. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.10.0 contains a patch for the issue.(CVE-2025-53365)\n\nThe MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.9.4, a validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 errors) until manually restarted. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.9.4 contains a patch for the issue.(CVE-2025-53366)", "category":"general", "title":"Description" }, { "text":"An update for python-mcp is now available for master/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"python-mcp", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2026-1151", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1151" }, { "summary":"CVE-2025-53365", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-53365&packageName=python-mcp" }, { "summary":"CVE-2025-53366", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-53366&packageName=python-mcp" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53365" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53366" }, { "summary":"openEuler-SA-2026-1151 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2026/csaf-openeuler-sa-2026-1151.json" } ], "title":"An update for python-mcp is now available for openEuler-24.03-LTS-SP3", "tracking":{ "initial_release_date":"2026-01-22T09:59:04+08:00", "revision_history":[ { "date":"2026-01-22T09:59:04+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-01-22T09:59:04+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-01-22T09:59:04+08:00", "id":"openEuler-SA-2026-1151", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"openEuler-24.03-LTS-SP3", "name":"openEuler-24.03-LTS-SP3" }, "name":"openEuler-24.03-LTS-SP3", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"python3-mcp-1.12.3-1.oe2403sp3.noarch.rpm", "name":"python3-mcp-1.12.3-1.oe2403sp3.noarch.rpm" }, "name":"python3-mcp-1.12.3-1.oe2403sp3.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"python-mcp-1.12.3-1.oe2403sp3.src.rpm", "name":"python-mcp-1.12.3-1.oe2403sp3.src.rpm" }, "name":"python-mcp-1.12.3-1.oe2403sp3.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"python3-mcp-1.12.3-1.oe2403sp3.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:python3-mcp-1.12.3-1.oe2403sp3.noarch", "name":"python3-mcp-1.12.3-1.oe2403sp3.noarch as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"python-mcp-1.12.3-1.oe2403sp3.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:python-mcp-1.12.3-1.oe2403sp3.src", "name":"python-mcp-1.12.3-1.oe2403sp3.src as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-53365", "notes":[ { "text":"The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.10.0, if a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the server side, causing the server to crash and requiring a restart to restore service. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.10.0 contains a patch for the issue.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP3:python3-mcp-1.12.3-1.oe2403sp3.noarch", "openEuler-24.03-LTS-SP3:python-mcp-1.12.3-1.oe2403sp3.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP3:python3-mcp-1.12.3-1.oe2403sp3.noarch", "openEuler-24.03-LTS-SP3:python-mcp-1.12.3-1.oe2403sp3.src" ], "details":"python-mcp security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1151" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.1, "vectorString":"CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP3:python3-mcp-1.12.3-1.oe2403sp3.noarch", "openEuler-24.03-LTS-SP3:python-mcp-1.12.3-1.oe2403sp3.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-53365" }, { "cve":"CVE-2025-53366", "notes":[ { "text":"The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.9.4, a validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 errors) until manually restarted. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.9.4 contains a patch for the issue.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP3:python3-mcp-1.12.3-1.oe2403sp3.noarch", "openEuler-24.03-LTS-SP3:python-mcp-1.12.3-1.oe2403sp3.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP3:python3-mcp-1.12.3-1.oe2403sp3.noarch", "openEuler-24.03-LTS-SP3:python-mcp-1.12.3-1.oe2403sp3.src" ], "details":"python-mcp security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1151" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.5, "vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP3:python3-mcp-1.12.3-1.oe2403sp3.noarch", "openEuler-24.03-LTS-SP3:python-mcp-1.12.3-1.oe2403sp3.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-53366" } ] }