CVE-2025-53365: 
Model Context Protocol vulnerability analysis and mitigation

The MCP Python SDK (mcp on PyPI), a Python implementation of the Model Context Protocol (MCP), contains a vulnerability identified as CVE-2025-53365. The vulnerability was discovered in versions prior to 1.10.0, where an uncaught exception condition could lead to server crashes. The issue was disclosed on July 4, 2025, and affects systems running the MCP Python SDK server component (GitHub Advisory, NVD).

The vulnerability stems from an uncaught ClosedResourceError that occurs when a client deliberately triggers an exception after establishing a streamable HTTP session. The issue has been assigned a CVSS v4.0 base score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-248 (Uncaught Exception) (GitHub Advisory, Red Hat).

When exploited, the vulnerability causes the server to crash, requiring a restart to restore service. The impact severity may vary depending on deployment conditions and the presence of infrastructure-level resilience measures. The vulnerability specifically affects the availability of the system without compromising confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in version 1.10.0 of the MCP Python SDK. Users are advised to upgrade to this version or later to address the security issue. The fix includes proper exception handling for the ClosedResourceError condition (GitHub Commit).