Skip to content

olgasafonova/mediawiki-mcp-server

v1.11.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 5mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

anthropic claude go mcp mcp-server mediawiki
+4 more
model-context-protocol starred wiki wikipedia

Affected surfaces

rce_ssrf auth

Summary

AI summary

SSRF protection blocks private IP ranges and request body size limits prevent DoS attacks.

Full changelog

Security Improvements

SSRF Protection

The link checker (mediawiki_check_links) now blocks requests to private/internal IP ranges:

  • 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  • Link-local, multicast, and reserved ranges
  • IPv6 equivalents (::1, fe80::/10, fc00::/7)

Request Body Size Limit

HTTP mode now enforces request body size limits to prevent DoS attacks:

  • Default: 2MB (generous for MCP requests)
  • Maximum: 10MB

Trusted Proxy Support

New --trusted-proxies flag for secure X-Forwarded-For handling:

./mediawiki-mcp-server --http :8080 --trusted-proxies "10.0.0.0/8,172.16.0.0/12"
  • X-Forwarded-For is only trusted when proxies are explicitly configured
  • Prevents rate limiter bypass via header spoofing

Performance Improvements

LRU Cache with Size Limits

  • Maximum 1,000 cache entries (prevents unbounded memory growth)
  • Background cleanup every 5 minutes
  • Intelligent LRU eviction based on access times

New Features

Health Endpoints (HTTP mode)

Two new endpoints for monitoring and load balancers (no authentication required):

  • GET /health - Returns server health status

    {"status":"healthy","server":"mediawiki-mcp","version":"1.11.0"}

  • GET /ready - Returns readiness status with wiki configuration check

    {"status":"ready","wiki_url":"https://your-wiki.com/api.php"}

Upgrade Notes

  • All changes are backward compatible
  • No configuration changes required
  • Existing deployments will benefit from security improvements automatically

Security Fixes

  • SSRF protection added to `mediawiki_check_links`: blocks requests to private/internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and IPv6 equivalents
  • Request body size limited to default 2 MB (max 10 MB) in HTTP mode to prevent DoS attacks
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track olgasafonova/mediawiki-mcp-server

Get notified when new releases ship.

Sign up free

About olgasafonova/mediawiki-mcp-server

Connect to any MediaWiki wiki (Wikipedia, Fandom, corporate wikis). 33+ tools for search, read, edit, link analysis, revision history, and Markdown conversion. Supports stdio and HTTP transport.

All releases →

Related context

Earlier breaking changes

  • v1.31.0 rationale parameter now required on 7 destructive MCP tools

Beta — feedback welcome: [email protected]