pastorsimon1798/mcp-video

v1.1.3 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 2mo MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

agent-tools ai-agents ai-video claude claude-code cli

+14 more

cursor ffmpeg hyperframes mcp mcp-server mcp-tools media-automation model-context-protocol python python-library subtitles video video-automation video-editing

Affected surfaces

auth rce_ssrf

Summary

AI summary

Security hardening added FFmpeg injection validation and numerous bug fixes across the tool.

Full changelog

v1.1.3 — Adversarial Audit Hardening

Full adversarial red-team audit covering ~50 issues across 4 severity tiers. All CRITICAL, HIGH, and actionable MEDIUM fixes applied.

Critical (C1–C7)

C1: Fixed edit_timeline crash on t.type.value — type is Literal[str], not enum
C2: Fixed audio-waveform CLI passing unknown output_path kwarg to engine
C3: Fixed thumbnail/extract-frame CLI using wrong text formatter (showed N/A)
C4: Fixed silence boundary logic bug creating inverted segments in ai_remove_silence
C5: Fixed _parse_ffmpeg_time assuming centiseconds for variable fractional digits
C6: Added try/except wrapper to video_batch server tool
C7: Fixed _format_batch_text KeyError on validation error responses

High — Security & Robustness (H1–H5)

H1: chroma_key color param now validated for FFmpeg injection characters (:, ], [, ;, \x00)
H2: add_text text escaping now covers [, ], ; FFmpeg filter chars
H3: Added _parse_json_arg helper for 11 CLI commands with friendly JSON error messages
H4: _validate_input now checks null bytes in file paths
H5: Added _validate_input_path calls to 5 effect functions and 3 transition functions

Medium — Validation (M1–M2)

M1: 12 server validation additions (resize negative dims, font size bounds, fade non-negative, volume range, threshold 0-1, fps bounds, lufs -70 to -5, chroma_key similarity/blend 0-1, stabilize smoothing/zooming non-negative, apply_mask feather non-negative, waveform bins 1-1000)
M2: Client export() format validation, video-layout-pip CLI --rounded-corners flag

Full Changelog: https://github.com/Pastorsimon1798/mcp-video/compare/v1.1.2...v1.1.3

Security Fixes

`chroma_key` color parameter now validated against FFmpeg injection characters (colon, brackets, semicolon, null byte)
`add_text` text escaping expanded to cover FFmpeg filter special characters ([, ], ;)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track pastorsimon1798/mcp-video

Get notified when new releases ship.

About pastorsimon1798/mcp-video

Video editing MCP server with 26 tools for trimming, merging, text overlays, audio sync, filters, color grading, audio normalization, picture-in-picture, split-screen, batch processing, format conversion, subtitles, watermarks, and more. 380 tests, CI on Python 3.11+3.12, progress callbacks, works with Claude Code, Cursor, and any MCP client.

All releases →