[BUG] 2.1.9 regression: Uncontrolled request spam to /mcp and OAuth endpoints by Claude Code

Resolved 💬 5 comments Opened Jan 16, 2026 by fahreddinozcan Closed Jan 17, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

We operate Context7, Claude Code 2.1.9 is sending an extremely excessive number of requests to our /mcp and /oauth endpoints, effectively DDoS-ing our infrastructure. This is not a minor performance issue — our DDoS protection has been triggered multiple times, causing service degradation for our legitimate users.
The timestamp of the Claude Code 2.1.9 release correlates exactly with a sudden, massive spike in traffic to our servers. This is causing real operational harm to our platform.

We've checked and the timestamp of the release of Claude Code 2.1.9 matches exactly with the increase in the load of our servers.

What Should Happen?

Claude Code should make requests to MCP and OAuth endpoints only when necessary — not thousands of requests in a matter of minutes. Whatever polling, retry logic, or connection mechanism was changed in 2.1.9 needs immediate attention.

Error Messages/Logs

<img width="1453" height="626" alt="Image" src="https://github.com/user-attachments/assets/d417086e-c4f7-47cf-b082-57b7d4d53dee" />

You can see the request counts in the last 30 minutes.
<img width="1479" height="672" alt="Image" src="https://github.com/user-attachments/assets/601a8f84-4ec6-4314-affe-35b68acfd176" />

Affected endpoints:

  • /mcp
  • /.well-known/oauth-authorization-server/mcp
  • /.well-known/openid-configuration/mcp
  • /mcp/.well-known/openid-configuration

Steps to Reproduce

Not directly reproducable, but we can see from our firewall requests that some clients sends thousands of requests in few minutes.

Claude Model

Not sure / Multiple models

Is this a regression?

Yes, this worked in a previous version

Last Working Version

2.1.8

Claude Code Version

2.1.9

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

From our firewall and server logs:

Multiple Claude Code 2.1.9 user agents are sending thousands of requests within minutes
This traffic pattern is indistinguishable from a DDoS attack
Our rate limiting and DDoS protection have been triggered, impacting legitimate users
This began exactly when 2.1.9 was released and did not occur with 2.1.8

We urge you to treat this as a high-priority issue. MCP server operators should not have their infrastructure overwhelmed by the client implementation. Please consider a hotfix or rollback of whatever change caused this regression.

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗