This release includes 5 security fixes for security teams reviewing exposed deployments.
Topics
Affected surfaces
Summary
AI summaryPatched five npm audit vulnerabilities including cookie injection and auth bypass.
Full changelog
What's Changed
Security
- Patched 5 npm audit vulnerabilities (3 high, 1 moderate, 1 low)
- hono 4.12.2 → 4.12.7 (cookie injection, SSE injection, arbitrary file access)
- @hono/node-server 1.19.9 → 1.19.11 (auth bypass via encoded slashes)
- express-rate-limit 8.2.1 → 8.3.1 (IPv4-mapped IPv6 rate limit bypass)
- ajv 8.17.1 → 8.18.0 (ReDoS)
- qs 6.14.1 → 6.14.2 (DoS)
Registry & Ecosystem
- Homepage URL →
mcp.revasserlabs.com(canonical cloud landing page) - server.json, glama.json version parity
- Enabled Dependabot security updates
Cloud Hosted (v0.6.3)
- Deep security hardening: input validation on all 11 numeric params
- CORS origin-checking (only send headers when Origin matches)
- Cache-Control headers (HTML: 5min cache, JSON: no-store)
- X-Robots-Tag: noindex on API responses
- Error detail leaks removed (5 total across all endpoints)
- Search query length validation (500 char cap)
Full Changelog: https://github.com/jtalk22/slack-mcp-server/compare/v3.2.1...v3.2.2
Security Fixes
- hono 4.12.2 → 4.12.7 (CVE-2023‑XXXXX — cookie injection, SSE injection, arbitrary file access)
- @hono/node-server 1.19.9 → 1.19.11 (auth bypass via encoded slashes)
- express-rate-limit 8.2.1 → 8.3.1 (IPv4-mapped IPv6 rate limit bypass)
- ajv 8.17.1 → 8.18.0 (ReDoS)
- qs 6.14.1 → 6.14.2 (DoS)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About jtalk22/slack-mcp-server
Your complete Slack context for Claude—DMs, channels, threads, search. No OAuth apps, no admin approval. `--setup` and done, 11 tools, auto-refresh.
Related context
Beta — feedback welcome: [email protected]