Skip to content

olgasafonova/gleif-mcp-server

v0.9.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 24d MCP Data & Storage
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

anthropic claude gleif go legal-entity-identifier lei
+3 more
mcp mcp-server model-context-protocol

Affected surfaces

auth rce_ssrf

Summary

AI summary

Refactored domain identifier types to typed values, split client.go for clarity, bumped go-sdk dependency, and fixed redirect handling security issues.

Full changelog

Changed

  • Internal refactor: domain identifier types (LEI, BIC, ISIN, Country, IssuerID) with Parse* constructors at the MCP boundary. Client method signatures now take typed values instead of raw strings; format validation lives in the type system. Public API of internal/gleif package is unchanged for MCP callers (tool surface identical) but Go-package consumers will see typed parameters.
  • Internal refactor: client.go split into client.go (HTTP plumbing), client_lookup.go, client_search.go, client_relationships.go, client_validate.go by concern. Plus decomposed complex methods (doRequest, Autocomplete, GetRelationships, GetBatchLEI) into single-responsibility helpers and replaced the 13-arm handler switch with a map dispatch. Result: every source file scores at Green (≥9.0) or Optimal (10.0) on CodeScene Code Health.
  • Bumped github.com/modelcontextprotocol/go-sdk to v1.6.0.

Fixed

  • API client refuses all redirects via CheckRedirect returning http.ErrUseLastResponse. The GLEIF API does not redirect under normal operation; without this guard, a misconfigured BaseURL or a wiki/proxy returning Location: http://169.254.169.254/... would pivot a lookup into a fetch against cloud metadata or other link-local internal services. (security)
  • LEI record cache no longer returns aliased pointers. Cache now deep-copies on both store and retrieval. (correctness)
  • GetLEI cold-path fetches now collapse via singleflight.Group, closing the rate-limit-amplification surface. (security)

Breaking Changes

  • Client method signatures now require typed domain identifier values (`LEI`, `BIC`, `ISIN`, `Country`, `IssuerID`) instead of raw strings.

Security Fixes

  • API client now refuses all redirects by returning `http.ErrUseLastResponse` from `CheckRedirect`, preventing mis‑configured BaseURL or proxy redirection attacks.
  • Cold‑path `GetLEI` fetches are deduplicated with `singleflight.Group`, eliminating rate‑limit amplification.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track olgasafonova/gleif-mcp-server

Get notified when new releases ship.

Sign up free

About olgasafonova/gleif-mcp-server

Access the Global Legal Entity Identifier (LEI) database for company verification, KYC, and corporate ownership research via GLEIF's public API.

All releases →

Related context

Beta — feedback welcome: [email protected]