Skip to content

epicsagas/alcove

v0.7.12 Security

This release includes 8 security fixes for security teams reviewing exposed deployments.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 8 known CVEs

Topics

ai-agent claude-code documentation knowledge-base mcp mcp-server
+2 more
privacy rust

Affected surfaces

auth rce_ssrf

Summary

AI summary

Per-IP rate limiting and SSRF whitelist validation address multiple security vulnerabilities.

Full changelog

v0.7.12

Security

  • Per-IP rate limiting on /mcp endpoint
  • SSRF whitelist validation
  • ABBA deadlock fix
  • Vault path traversal validation
  • Blocked ALCOVE_HOME from pointing to system-sensitive directories
  • CORS off-by-one fix and query length limit
  • Poisoned mutex recovery
  • TOML injection prevention
  • Symlink cycle infinite loop guard

Features

  • Multi-vault knowledge base support (CLI, indexing, HTTP API, MCP tools)
  • Hybrid MCP proxy mode with Claude plugin support
  • launchd process lifecycle management (enable/disable/start/stop/restart)
  • alcove lint and alcove promote commands
  • Memory budget configuration
  • PDF support improvements
  • Query embedding cache with doctor diagnostics

Fixes & Improvements

  • All clippy warnings resolved (-D warnings clean)
  • 371 tests passing
  • Stable Rust compatible (no nightly features required)
  • HNSW per-project cache with TTL eviction
  • Sequential streaming to bound RSS during indexing
  • Index reader caching to eliminate double opens

Platform Support

  • macOS arm64 — full features (BM25 + vector search + embedding)
  • Linux x86_64 (musl) — BM25 search + HTTP server
  • Windows x86_64 — BM25 search + HTTP server

💡 For full features on Linux/Windows, build from source: cargo install alcove --features full

Full Changelog: https://github.com/epicsagas/alcove/compare/v0.7.11...v0.7.12

Security Fixes

  • Per-IP rate limiting on `/mcp` endpoint mitigates abuse
  • SSRF whitelist validation prevents unauthorized requests
  • Vault path traversal validation blocks unsafe paths
  • Blocked ALCOVE_HOME from pointing to system‑sensitive directories
  • CORS off-by-one fix and query length limit prevent misconfiguration exploits
  • Poisoned mutex recovery avoids deadlock scenarios
  • TOML injection prevention stops malicious configuration injections
  • Symlink cycle infinite loop guard eliminates endless loops
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track epicsagas/alcove

Get notified when new releases ship.

Sign up free

About epicsagas/alcove

MCP server that gives AI coding agents on-demand access to private project docs via BM25 ranked search. One setup for Claude Code, Cursor, Codex, Gemini CLI, and more. Docs stay private, never in public repos.

All releases →

Related context

Earlier breaking changes

  • v0.10.0 Changes code indexing to index all available languages by default instead of auto‑detecting

Beta — feedback welcome: [email protected]