CVE-2026-10692 — AI Deep Analysis Summary

🚨 **Nature**: Regular Expression Denial of Service (ReDoS) vulnerability. 💥 **Consequence**: Attackers can exhaust server computational resources by constructing malicious regular expressions, rendering the service unava…

🔍 **Defect Point**: The validation logic in `is_safe_regex_pattern` within the `search_code_advanced` function is flawed. 📉 **CWE**: Regular Expression Denial of Service (ReDoS), failure to effectively limit regex comple…

📦 **Component**: `code-index-mcp` project. 🏷️ **Version**: All versions **≤ 2.14.0** are affected.

🛑 **Privilege**: Triggerable with **Low Privilege (PR:L)**. 📊 **Data**: Does not steal data; primarily impacts **Availability (A:L)**, causing service瘫痪 (paralysis).

🔑 **Threshold**: Medium. ⚙️ **Configuration**: Requires **Network Access (AV:N)**, but requires **Local/Low Privilege Authentication (PR:L)**, and needs no User Interaction (UI:N).

💣 **Exploit**: **Yes**. 📢 **Status**: Attack code is publicly available (refer to GitHub Issue #84), posing a risk of in-the-wild exploitation.

🔎 **Self-Check**: Check if `code-index-mcp` is used and the version is below 2.14.1. 🛡️ **Scanning**: Monitor the `regex` parameter input of the `search_code_advanced` interface to detect malicious regex construction.

✅ **Fixed**. 🔧 **Patch**: Upgrade to **v2.14.1**. 🔗 **Hash**: `25bc02fac74051ddae15ce79e952f00211b1ea6b`.

🛡️ **Temporary Mitigation**: If an immediate upgrade is not possible, it is recommended to implement strict **whitelist filtering** or **length/complexity restrictions** on the `regex` parameter to intercept suspicious r…

⚡ **Priority**: **High**. 📅 **Time**: Exploit is public, and the CVSS score includes an availability impact. It is recommended to upgrade to v2.14.1 **as soon as possible** to eliminate the risk.