Epistates/TurboMCP

v2.3.6 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 5mo MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

mcp mcp-client mcp-sdk mcp-server mcp-servers rust

Affected surfaces

auth crypto_tls breaking_upgrade

Summary

AI summary

TLS certificate validation now requires explicit opt‑in and default TLS version upgraded to 1.3, preventing insecure configurations.

Full changelog

[2.3.6] - 2026-01-03

Security

This release includes multiple security hardening improvements identified during a comprehensive audit.

CRITICAL

TLS certificate validation bypass gate (turbomcp-transport) - Disabling certificate validation now requires explicit opt-in via TURBOMCP_ALLOW_INSECURE_TLS=1 environment variable. Without this, the client will panic with a security error. This prevents accidental deployment of insecure configurations.
jsonwebtoken consolidated to v10.2 - Unified all crates on jsonwebtoken v10.2.0 with aws_lc_rs crypto backend, eliminating version fragmentation and ensuring consistent security.

HIGH

TLS 1.3 default (turbomcp-transport) - Default minimum TLS version changed from 1.2 to 1.3 for improved security. TLS 1.2 remains available via TlsVersion::Tls12 but is now deprecated.
Enhanced path traversal protection (turbomcp-protocol) - Added detection for URL-encoded patterns (%2e, %252e), null byte injection (\0, %00), and Unicode lookalike characters.
JWT algorithm allowlist (turbomcp-auth) - MultiIssuerValidator now validates JWT algorithms before processing, only permitting asymmetric algorithms (ES256/384, RS256/384/512, PS256/384/512) to prevent algorithm confusion attacks.
Explicit rustls backend (turbomcp-transport, turbomcp-proxy) - HTTP client now explicitly uses rustls via .use_rustls_tls() to prevent native-tls fallback issues with TLS 1.3.

MEDIUM

API key minimum length (turbomcp-auth) - API keys must now be at least 32 characters (MIN_API_KEY_LENGTH). Shorter keys are rejected to prevent brute-force attacks.
DPoP nonce storage warnings (turbomcp-dpop) - MemoryNonceTracker now logs security warnings about single-instance limitations in production deployments.

Changed

TlsVersion::default() now returns Tls13 instead of Tls12
validate_api_key() returns false for keys shorter than 32 characters
reqwest dependency updated to use rustls-tls feature with default-features disabled

Dependencies

jsonwebtoken: 10.1 → 10.2 (with aws_lc_rs and use_pem features)
reqwest: Added rustls-tls feature, disabled native-tls default
oauth2: Added rustls-tls feature to eliminate native-tls dependency
tokio-tungstenite: Switched from native-tls to rustls-tls-native-roots feature
criterion: Unified all crates on v0.7.0 (workspace version)
Removed atty dependency in favor of std::io::IsTerminal (Rust 1.70+ stdlib)
native-tls completely eliminated from dependency tree (security + portability improvement)

Full Changelog: https://github.com/Epistates/turbomcp/compare/v2.3.5...v2.3.6

Breaking Changes

Disabling TLS certificate validation now requires explicit `TURBOMCP_ALLOW_INSECURE_TLS=1`; without it the client panics.
`TlsVersion::default()` changed from `Tls12` to `Tls13`, altering default transport security.

Security Fixes

TLS certificate validation bypass gate now requires explicit opt‑in (`TURBOMCP_ALLOW_INSECURE_TLS=1`) to prevent accidental insecure deployments.
Consolidated `jsonwebtoken` crate to v10.2 with unified crypto backend, eliminating version fragmentation.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Epistates/TurboMCP

Get notified when new releases ship.

About Epistates/TurboMCP

TurboMCP SDK: Enterprise MCP SDK in Rust

All releases →