Tip: Never Reuse One McpServer Instance Across Clients (CVE-2026-25536)
Practical DevSecOps·medium signal
The concrete mitigation for the MCP TypeScript SDK cross-client leak is to instantiate a fresh McpServer per client connection rather than sharing a single long-lived instance across multiple clients, which is what allowed request/response data to bleed between sessions. Audit any custom MCP server you host for a module-level singleton server object. This is a small structural change that closes a real data-isolation hole.