This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
+4 more
Affected surfaces
Summary
AI summaryFix DNS rebinding vulnerability and make DNS errors block requests.
Full changelog
Security
- Fix DNS rebinding vulnerability in CheckLinks (SSRF protection)
- Fail-closed DNS handling - DNS errors now block requests instead of allowing
- Structured SSRFError type with programmatic error codes
- Unicode NFC normalization for page titles and content validation
Code Quality
Split methods.go (4,235 lines) into 9 logical modules:
| File | Lines | Purpose |
|------|-------|---------|
| read.go | 1,128 | Page reading operations |
| write.go | 784 | Page editing operations |
| links.go | 639 | Link operations |
| search.go | 590 | Search operations |
| quality.go | 401 | Terminology/translation checks |
| history.go | 380 | Revision history |
| security.go | 158 | SSRF protection |
| categories.go | 136 | Category operations |
| users.go | 90 | User operations |
Other
- Add
IMPROVEMENTS.mddocumenting future refactoring plans - All tests pass
Security Fixes
- Fix DNS rebinding vulnerability in CheckLinks (SSRF protection)
- Fail‑closed DNS handling – DNS errors now block requests instead of allowing them
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About olgasafonova/mediawiki-mcp-server
Connect to any MediaWiki wiki (Wikipedia, Fandom, corporate wikis). 33+ tools for search, read, edit, link analysis, revision history, and Markdown conversion. Supports stdio and HTTP transport.
Related context
Related tools
Earlier breaking changes
- v1.31.0 rationale parameter now required on 7 destructive MCP tools
Beta — feedback welcome: [email protected]