Skip to content

olgasafonova/gleif-mcp-server

v0.8.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 1mo MCP Data & Storage
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 3 known CVEs

Topics

anthropic claude gleif go legal-entity-identifier lei
+3 more
mcp mcp-server model-context-protocol

Affected surfaces

rce_ssrf breaking_upgrade

Summary

AI summary

Fixed multiple security vulnerabilities including cache poisoning, path injection, and raw body leakage in validation APIs.

Full changelog

Fixed (security)

  • validate_lei cache poisoning: only cache definitive 404 responses; transient upstream errors (5xx, timeout, rate-limit retry exhaustion) no longer poison the 24-hour validation cache. Previously a single concurrent client saturating the rate limiter could mark a targeted LEI as Valid=false for the rest of the day. (168b2a0)
  • get_lei_issuer path injection: validate issuer_id against ^[A-Z0-9]{4,32}$ and url.PathEscape before URL interpolation; closes a path-traversal pivot from /lei-issuers/ to other GLEIF endpoints. Tool spec gains Pattern, MinLength=4, MaxLength=32 so the MCP framework rejects malformed IDs client-side too. ISIN, BIC, and country tool inputs now validated as full-regex matches (length-only checks were insufficient); search_by_isin routes input through url.Values.Encode() instead of raw fmt.Sprintf. (8d96c05)
  • HG-2 raw-body leak: API error responses no longer echo raw 4xx response body verbatim to MCP callers; replaces with http.StatusText. Restores compliance with hard gate HG-2. (1c91a59)

Found by Carlini-style autonomous vulnerability scaffold sweep across the MCP portfolio.

Full Changelog: https://github.com/olgasafonova/gleif-mcp-server/compare/v0.7.0...v0.8.0

Security Fixes

  • `validate_lei` cache poisoning fix: only definitive 404 responses are cached; transient upstream errors no longer poison the validation cache.
  • `get_lei_issuer` path injection mitigation: `issuer_id` now validated against regex ^[A-Z0-9]{4,32}$ and URL‑escaped before interpolation; prevents traversal from /lei-issuers/ to other endpoints. Added schema constraints (Pattern, MinLength=4, MaxLength=32).
  • HG-2 raw-body leak fix: API error responses no longer echo raw 4xx bodies; they now return `http.StatusText` for compliance.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track olgasafonova/gleif-mcp-server

Get notified when new releases ship.

Sign up free

About olgasafonova/gleif-mcp-server

Access the Global Legal Entity Identifier (LEI) database for company verification, KYC, and corporate ownership research via GLEIF's public API.

All releases →

Related context

Beta — feedback welcome: [email protected]