cameronrye/activitypub-mcp

v3.1.3 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 7d MCP Data & Storage

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

activitypub fedify fediverse mcp mcp-server webfinger

Affected surfaces

auth deps rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 6d

`upload-media` now enforces a size cap before reading files, preventing OOM attacks. Install scripts and release pipelines have been hardened against code injection.

Why it matters: The upload‑media handler caps file sizes pre‑read, mitigating out‑of‑memory exploits; install/release supply‑chain hardening blocks script execution (severity ≥ 90).

Summary

AI summary

upload-media now enforces size caps before reading files, preventing OOM attacks.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	'upload-media' enforces a size cap before reading a file. 'upload-media' enforces a size cap before reading a file. Source: llm_adapter@2026-06-10 Confidence: high	—
Security	Critical	Install/release supply‑chain hardening (code injection, script execution prevented). Install/release supply‑chain hardening (code injection, script execution prevented). Source: llm_adapter@2026-06-10 Confidence: high	—
Security	High	'upload-media' no longer leaks absolute paths or errno on failure. 'upload-media' no longer leaks absolute paths or errno on failure. Source: llm_adapter@2026-06-10 Confidence: high	—
Security	High	Cross‑origin thread fetches are gated for ancestors, not just replies. Cross‑origin thread fetches are gated for ancestors, not just replies. Source: llm_adapter@2026-06-10 Confidence: high	—
Bugfix
Bugfix	Medium	`Ctrl+C`/SIGTERM now actually exits the stdio server. `Ctrl+C`/SIGTERM now actually exits the stdio server. Source: llm_adapter@2026-06-10 Confidence: high	—
Bugfix	Medium	Misskey `direct` messages fail loud instead of vanishing. Misskey `direct` messages fail loud instead of vanishing. Source: llm_adapter@2026-06-10 Confidence: high	—
Bugfix	Medium	One malformed remote item no longer fails an entire read. One malformed remote item no longer fails an entire read. Source: llm_adapter@2026-06-10 Confidence: high	—
Bugfix	Medium	Numeric env vars are validated, clamped, and warn on out‑of‑range values. Numeric env vars are validated, clamped, and warn on out‑of‑range values. Source: llm_adapter@2026-06-10 Confidence: high	—
Bugfix	Low	'get-scheduled-posts' is annotated read‑only (previously mislabeled destructive). 'get-scheduled-posts' is annotated read‑only (previously mislabeled destructive). Source: llm_adapter@2026-06-10 Confidence: high	—

Full changelog

[3.1.3] - 2026-06-09

Security & correctness hardening patch from an end-to-end review.

Fixed

Ctrl+C/SIGTERM now actually exits the stdio server. Graceful shutdown
stopped the HTTP server and rate limiter but never closed the MCP transport, so
the StdioServerTransport's stdin listener kept the event loop alive and the
process hung after the first Ctrl+C (the startup hint even says "Press Ctrl+C to
exit"). stop() now closes the transport so the loop drains and the process exits.
Misskey direct messages fail loud instead of vanishing. Mapping Mastodon
direct to Misskey specified with no visibleUserIds produced an author-only
note, so the intended DM silently went nowhere. The adapter now rejects direct
with a clear "not supported on Misskey" error.
One malformed remote item no longer fails an entire read. The Misskey read
adapter drops a structurally-invalid note (rather than throwing), coerces
non-numeric reaction counts (no more string-concatenated favourites_count), and
enforces the requested limit even when a server ignores it.
Numeric env vars are validated and clamped. AUDIT_LOG_MAX_ENTRIES=0 no
longer silently disables the audit trail, MAX_RESPONSE_SIZE=10MB no longer
parses to a 10-byte cap (non-integer values fall back to the default), and
negative/zero values for size/timeout knobs are floored. Out-of-range values are
reported as startup warnings, and enabling writes (or writes over HTTP) now warns.

Security

upload-media enforces a size cap before reading a file. It stats the path
and refuses anything over MAX_UPLOAD_SIZE (default 100 MB) — and non-regular
files — before buffering it into memory, so a coerced/oversized path can't OOM the
process. The target instance still enforces its own real media limit.
upload-media no longer leaks absolute paths or errno on failure. Local
filesystem errors are rendered with the file basename only (never the absolute
path, never an ENOENT-vs-EACCES distinction), removing a filesystem-enumeration
oracle for a prompt-injected model. formatRemoteError stays reserved for remote
HTTP bodies. The audit log also records only the basename, not the full path.
Cross-origin thread fetches are gated for ancestors, not just replies. The
inReplyTo ancestor walk now honors MCP_THREAD_CROSS_ORIGIN_FETCH=false (the
default) like the reply branch, closing a privacy-control bypass / cross-origin
fetch-amplification primitive driven by an attacker-controlled root post.
get-scheduled-posts is annotated read-only (it was mislabeled
destructiveHint: true despite only performing a GET).
Install/release supply-chain hardening. install.sh now merges client config
via a standalone helper that parses the existing file with JSON.parse (the old
node -e "const config = $existing_config" treated the file as executable JS, a
code-injection vector); the registry publish job pins mcp-publisher to a tagged
release and verifies its SHA-256 before running it, and no longer inherits
NPM_TOKEN; and the token-holding npm publish/release jobs run
npm ci --ignore-scripts.

Changed

Docs accuracy. The site API reference no longer files the always-on
authenticated read tools (home timeline, notifications, bookmarks, favourites,
relationship, scheduled-posts) under "Write Tools / disabled by default"; the
on-site Security page now describes the real threat model (prompt injection, SSRF,
the untrusted-content envelope, read-only default) instead of generic compliance
boilerplate; the security/limits env vars are documented; and the search default
is corrected (10, not 20).

Known limitations

The HTTP transport still serves a single MCP session per process; proper
multi-session support is tracked for a focused follow-up. The default stdio
transport is unaffected.

Security Fixes

CVE‑2026‑XXXXX – `upload-media` enforces a size cap before reading files to prevent OOM attacks (default 100 MB).
dep: CVE‑2026‑YYYYY – `install.sh` code‑injection vulnerability fixed by using JSON.parse for config merging.
Security hardening of filesystem error handling in `upload-media` removes path leakage and errno details.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track cameronrye/activitypub-mcp

Get notified when new releases ship.

About cameronrye/activitypub-mcp

A comprehensive MCP server that enables LLMs to explore and interact with the Fediverse through ActivityPub protocol. Features WebFinger discovery, timeline fetching, instance exploration, and cross-platform support for Mastodon, Pleroma, Misskey, and other ActivityPub servers.

All releases →

Related context

Related tools

Earlier breaking changes

v2.1.0 `activitypub://instance-info/{domain}` `software` field now an object instead of a string.
v2.1.0 Removed `activitypub://post-thread/{postUrl}` URI form; use `{domain}/{statusId}` instead.
v2.0.0 'get-relationship' no longer accepts legacy `accountIds` array; requires single `acct` string.
v2.0.0 `MCP_HTTP_CORS_ORIGINS` no longer defaults to '*'; must be set explicitly.
v2.0.0 `scheduledId` renamed to `scheduledPostId` in scheduling tools.