CVE-2026-10692: ReDoS Vulnerability in code-index-mcp Up to 2.14.0 – Patch Available
A flaw exists in code-index-mcp versions up to 2.14.0 that allows authenticated users to cause performance degradation through specially crafted regular expressions. By submitting a malicious regex pattern to the search_code_advanced function, an attacker can trigger inefficient regex processing that consumes excessive CPU resources, leading to application slowdown or unresponsiveness. This is a denial-of-service weakness that requires login credentials to exploit but does not compromise confidentiality or data integrity.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-1333, CWE-400
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in johnhuang316 code-index-mcp up to 2.14.0. Affected is the function is_safe_regex_pattern of the component search_code_advanced. Executing a manipulation of the argument regex can lead to inefficient regular expression complexity. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.14.1 is able to address this issue. This patch is called 25bc02fac74051ddae15ce79e952f00211b1ea6b. Upgrading the affected component is recommended.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10692 is a ReDoS (Regular Expression Denial of Service) vulnerability in the is_safe_regex_pattern function within johnhuang316's code-index-mcp library. The vulnerability stems from insufficient validation of regex pattern complexity before execution. Attackers authenticated to the system can supply catastrophically backtracking regular expressions through the search_code_advanced component, causing the application to enter exponential-time matching loops. The vulnerability maps to CWE-1333 (Inefficient Regular Expression Complexity) and CWE-400 (Uncontrolled Resource Consumption), indicating both the root cause and the attack outcome.
Business impact
For organizations deploying code-index-mcp as part of their code search or indexing infrastructure, this vulnerability presents a localized availability risk. An authenticated insider or compromised account could repeatedly trigger regex processing to disrupt search functionality, impacting development workflows and potentially delaying incident response activities that depend on code indexing. Since authentication is required, the attack surface is limited to users with system access, reducing enterprise-wide risk but warranting prompt patching to eliminate the vector entirely.
Affected systems
johnhuang316 code-index-mcp versions 2.14.0 and earlier are affected. The issue is resolved in version 2.14.1 and later. Organizations should audit deployments to identify running instances and verify version numbers. The vulnerability is present in the search_code_advanced component specifically, making this attack surface relevant primarily to workflows that use the advanced search feature.
Exploitability
Exploitation requires network access and valid authentication credentials. The attack is straightforward once credentials are obtained—no special tools or deep expertise are required; an attacker simply crafts a pathological regex pattern and submits it through the vulnerable function. Public exploit information is available, increasing the likelihood of both opportunistic and targeted attacks from insiders or adversaries with stolen credentials. However, the login requirement significantly limits exposure compared to unauthenticated vulnerabilities.
Remediation
Upgrade code-index-mcp to version 2.14.1 or later immediately. This patch addresses the regex validation weakness in is_safe_regex_pattern and prevents catastrophic backtracking. Additionally, consider implementing rate-limiting on search operations and monitoring for unusual regex submission patterns (e.g., repeated attempts with complex patterns) to detect potential exploitation attempts while patching is underway.
Patch guidance
Apply version 2.14.1 via your package manager or download the release containing commit 25bc02fac74051ddae15ce79e952f00211b1ea6b. Verify the patch by confirming the version string and commit hash post-deployment. If using code-index-mcp in a containerized environment, rebuild images with the updated version and redeploy. Test search functionality after patching to confirm no regressions. No special configuration changes are required for this patch.
Detection guidance
Monitor application logs for repeated or unusual regex patterns submitted to the search_code_advanced endpoint, particularly those containing complex quantifiers or nested groups. Watch for spikes in CPU usage correlated with search requests. Network-based detection is limited due to the requirement for authentication; focus detection efforts on insider threat monitoring and account compromise detection. Log all searches and review for patterns indicative of ReDoS attacks, such as exponential backtracking strings or known pathological regex examples.
Why prioritize this
While the CVSS score of 4.3 (Medium) reflects low impact—affecting only availability, not confidentiality or integrity—the public availability of exploitation information and the straightforward attack method argue for near-term patching. The requirement for authentication reduces urgency slightly, but code-index-mcp is often deployed in development environments with relatively relaxed access controls. Patch within 30 days or sooner if the tool is exposed to untrusted user accounts.
Risk score, explained
The CVSS 3.1 score of 4.3 is driven by: Network-accessible attack vector (AV:N); Low attack complexity (AC:L), as no special conditions are required; Requirement for low-privilege authentication (PR:L); No impact on confidentiality or integrity (C:N, I:N); Low availability impact (A:L), since the attack causes degradation rather than total outage. The score does not escalate to High because the attack requires valid credentials and does not lead to data compromise. Public exploit availability elevates practical risk but does not change the base CVSS calculation.
Frequently asked questions
Does this vulnerability allow code execution or data theft?
No. CVE-2026-10692 is strictly a denial-of-service flaw. It does not enable code execution, privilege escalation, or unauthorized data access. The attack causes application slowdown or unresponsiveness only.
How can I tell if my instance has been exploited?
Look for correlation between search requests containing complex or unusual regex patterns and CPU spikes in your application logs and system metrics. Authenticated users submitting patterns with excessive quantifiers or nested groups are a red flag. No actual data compromise occurs, so exploitation evidence is limited to performance anomalies.
Is version 2.14.0 definitely vulnerable?
Yes, the vulnerability affects all versions up to and including 2.14.0. Version 2.14.1 contains the fix. If you are running 2.14.0 or earlier, you are exposed and should patch.
What if we cannot immediately update to 2.14.1?
As an interim mitigation, restrict access to the search_code_advanced feature to trusted users only, implement request-rate limiting on search endpoints, and monitor for unusual regex submissions. These do not fully eliminate the risk but reduce the attack surface while you plan and execute the upgrade.
This analysis is provided for informational purposes and should not be construed as legal or professional security advice. Vulnerability severity and exploitability vary based on individual deployment context, network segmentation, and access controls. Always verify patch applicability and test in a non-production environment before deploying to production systems. Reference the vendor advisory and official security bulletins for the most current and authoritative guidance. SEC.co assumes no liability for damages resulting from vulnerability exploitation or patching decisions made by third parties. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10291MEDIUMReDoS in Enderfga claw-orchestrator validateRegex—Security Update
- CVE-2026-10691MEDIUMReDoS Vulnerability in DesktopCommanderMCP Search Manager
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0069MEDIUMAndroid Resource Exhaustion in APK Signature Verification
- CVE-2026-0074MEDIUMAndroid LauncherProcessImageListener Denial of Service Vulnerability