n24q02m/better-godot-mcp

v1.18.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 6d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ai-agents ai-coding claude claude-code cursor docker

+7 more

gdscript godot godot-engine mcp mcp-server model-context-protocol typescript

Affected surfaces

rce_ssrf

Summary

AI summary

Fixed symlink traversal vulnerability in safeResolve and pinned mcp-core to 1.17.0 for stable OAuth refresh_token handling.

Changes in this release

Type	Severity	Summary	CVE
Dependency	Low	Pin mcp-core to version 1.17.0 for stable OAuth refresh_token handling. Pin mcp-core to version 1.17.0 for stable OAuth refresh_token handling. Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Canonicalize paths in safeResolve to block symlink traversal. Canonicalize paths in safeResolve to block symlink traversal. Source: llm_adapter@2026-05-29 Confidence: high	—

Full changelog

v1.18.3 (2026-05-29)

Bug Fixes

Canonicalize paths in safeResolve to block symlink traversal (#708, a26ed8e)
Pin mcp-core 1.17.0 (stable OAuth refresh_token) (9cb4708)

Detailed Changes: v1.18.3-beta.1...v1.18.3

Security Fixes

Canonicalized paths in safeResolve to block symlink traversal — prevents directory traversal attacks

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track n24q02m/better-godot-mcp

Get notified when new releases ship.

About n24q02m/better-godot-mcp

18 composite tools for structured Godot 4.x interaction: scenes, nodes, GDScript, shaders, animation, tilemap, physics, audio, navigation, UI, input mapping, and signals.

All releases →