pastorsimon1798/mcp-video

v1.2.0 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 2mo MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 4 known CVEs

Topics

agent-tools ai-agents ai-video claude claude-code cli

+14 more

cursor ffmpeg hyperframes mcp mcp-server mcp-tools media-automation model-context-protocol python python-library subtitles video video-automation video-editing

Affected surfaces

deps rce_ssrf auth

Summary

AI summary

Security hardening across all tools includes FFmpeg filter injection prevention, centralized validation, null byte rejection, and subprocess timeouts.

Full changelog

Security Hardening (56 tasks)

What changed

Centralized validation module (validation.py) with parameter validators and allowed-value constants
Shared FFmpeg helpers (ffmpeg_helpers.py) — deduplicated escape, validate, run utilities
FFmpeg filter injection prevention on all 82 tools — all numeric params sanitized before interpolation
Color validation hardened — whitelist CSS named colors + hex + 0xRRGGBB format
Null byte rejection on all input paths across all engines
Server-side parameter validation on all 82 tools (crf, preset, format, transitions, audio, AI, Remotion)
except Exception fallback on all tool functions — no raw exceptions leak to MCP framework
Timeout (600s) on all subprocess.run calls in ai_engine.py

Engine bug fixes

Fixed _run_ffmpeg_with_progress deadlock (stdout PIPE → DEVNULL)
Fixed convert() hardcoded /dev/null → os.devnull
Fixed resize() division by zero on zero-dimension videos
Fixed _build_pitch_shift_filter() atempo chaining for extreme semitone values
Fixed generate_subtitles() — validates entries have required keys
Fixed write_metadata() — removed overly restrictive = check on values
Fixed extract_audio() — format whitelist validation
Fixed _auto_output() — prevents overwriting input file
Fixed audio_waveform() — removed broken ffprobe fallback
Fixed speed() — caps atempo chain count at 20
Fixed storyboard() — removed unused tmpdir
Fixed _escape_ffmpeg_filter_value — backslash handling, added semicolon escaping

AI engine fixes

Null-byte rejection on all 7 public functions
Timeout on all subprocess.run calls
Fixed _match_reference_colors() — narrowed except clause
Fixed ai_color_grade() — create parent directories for output
Fixed audio_spatial() — clamped volume value

Tests

832 tests total (707 fast, 116 slow/remotion)
20 new adversarial and server validation tests

Full Changelog: https://github.com/pastorsimon1798/mcp-video/compare/v1.1.5...v1.2.0

Security Fixes

FFmpeg filter injection prevention applied to all 82 tools by sanitizing numeric parameters before interpolation
Null byte rejection implemented on all input paths across every engine
Server‑side parameter validation added for crf, preset, format, transitions, audio, AI, and Remotion options in all 82 tools
Catch‑all `except Exception` fallback added to prevent raw exceptions from leaking to the MCP framework

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track pastorsimon1798/mcp-video

Get notified when new releases ship.

About pastorsimon1798/mcp-video

Video editing MCP server with 26 tools for trimming, merging, text overlays, audio sync, filters, color grading, audio normalization, picture-in-picture, split-screen, batch processing, format conversion, subtitles, watermarks, and more. 380 tests, CI on Python 3.11+3.12, progress callbacks, works with Claude Code, Cursor, and any MCP client.

All releases →