Skip to content

AnythingMCP

v0.1.18 Security

This release includes 6 security fixes for security teams reviewing exposed deployments.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 6 known CVEs

Topics

ai-agents anthropic api-gateway api-to-mcp chatgpt claude
+14 more
database gemini graphql llm-tools mcp mcp-gateway mcp-middleware mcp-proxy mcp-server model-context-protocol openapi rest self-hosted soap

Affected surfaces

auth rce_ssrf deps

Summary

AI summary

Removed hardcoded JWT_SECRET/ENCRYPTION_KEY fallbacks; missing or placeholder keys now cause startup failure.

Full changelog

First batch of security blockers from the full project review (#101).

Highlights

  • Secrets: removed hardcoded JWT_SECRET / ENCRYPTION_KEY fallbacks; the app refuses to start if either is missing or below 32 chars or matches a known placeholder.
  • SSRF guard: DNS-aware host check that blocks loopback, link-local (incl. 169.254.169.254 cloud metadata), RFC1918, CGNAT and IPv4-mapped IPv6 — applied to REST/GraphQL/SOAP/MCP-client engines, OAuth2 token service, mcp-oauth, and OpenAPI/Postman/GraphQL spec fetchers.
  • SQL injection: DatabaseEngine now compiles templates to driver-specific prepared statements ($1 pg, ? mysql/sqlite, @p0 mssql, :b0 oracle); user values are bound, never inlined.
  • Template injection: REST bodyTemplate rejects __proto__ / constructor / prototype keys and JSON-encodes interpolated values.
  • IDOR: tools update/delete pinned to connectorId; roles and users admin endpoints scoped to the requesting organization.
  • HTTP: Helmet middleware, HSTS in prod, CORS rejects '*' + credentials in production, per-endpoint rate limiting on auth flows.
  • Dependencies: npm audit fix brings vulnerabilities from 43 (1 critical, 22 high, 20 moderate) down to 11 (1 high, 10 moderate transitive); Dependabot config added.

Compatibility note

After upgrade you must set JWT_SECRET and ENCRYPTION_KEY to real values (≥32 chars, not the documented placeholders). Generate with openssl rand -base64 48. The app will refuse to boot otherwise — that is the fix.

Breaking Changes

  • Removed hardcoded JWT_SECRET and ENCRYPTION_KEY fallbacks; application aborts on startup if either is missing, <32 characters, or matches a known placeholder.

Security Fixes

  • SSRF guard added: DNS-aware host checks block loopback, link‑local (including cloud metadata), RFC1918, CGNAT and IPv4‑mapped IPv6 across REST/GraphQL/SOAP/MCP‑client engines, OAuth2 token service, mcp‑oauth and OpenAPI/Postman/GraphQL spec fetchers.
  • DatabaseEngine now compiles SQL templates to driver‑specific prepared statements (no inlined user values).
  • REST bodyTemplate rejects __proto__, constructor, prototype keys; JSON‑encodes interpolated values preventing template injection.
  • update/delete tools pinned to connectorId; admin endpoints for roles and users scoped to requesting organization mitigating IDOR.
  • Helmet middleware, HSTS in production, CORS rejecting '*' + credentials, per‑endpoint rate limiting on auth flows added.
  • npm audit fix reduces vulnerabilities from 43 (1 critical) to 11 (1 high); Dependabot config added.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track AnythingMCP

Get notified when new releases ship.

Sign up free

About AnythingMCP

All releases →

Related context

Beta — feedback welcome: [email protected]