Burp Suite MCP by PortSwigger

v1.3.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 8d MCP Security & Auth

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

extension

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 8d

Version v1.3.0 broadens the credential filter and now fails closed when encountering malformed JSON during options export.

Why it matters: Security fact: a severity‑90 security fix forces failure on malformed JSON exports, protecting credentials; relevant for developers handling MCP client data.

Summary

AI summary

Broaden credential filter to fail closed on malformed JSON in options export.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Broadens credential filter and fails closed on malformed JSON in options export Broadens credential filter and fails closed on malformed JSON in options export Source: llm_adapter@2026-05-26 Confidence: high	—
Feature
Feature	Low	Adds create_repeater_tab_http2 for HTTP/2 targets Adds create_repeater_tab_http2 for HTTP/2 targets Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Low	Adds Organizer history tools to retrieve requests by id/status Adds Organizer history tools to retrieve requests by id/status Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Low	Adds checkbox to filter password fields in output_project_options / output_user_options Adds checkbox to filter password fields in output_project_options / output_user_options Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Low	Detects Windows Store Claude Desktop config path automatically Detects Windows Store Claude Desktop config path automatically Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fixes normalization of literal \r\n escape sequences in HTTP content from MCP clients Fixes normalization of literal \r\n escape sequences in HTTP content from MCP clients Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Normalizes only the HTTP request prelude, not the body Normalizes only the HTTP request prelude, not the body Source: llm_adapter@2026-05-26 Confidence: high	—

Full changelog

Features

Add create_repeater_tab_http2 for HTTP/2 targets (#91)
Add Organizer history tools — retrieve requests from Organizer tabs with id/status (#87, #94)
Add checkbox to filter password fields in output_project_options / output_user_options (#25)
Detect Windows Store Claude Desktop config path (#96)

Bug Fixes

Fix normalization of literal \r\n escape sequences in HTTP content from MCP clients (#58)
Normalize only the HTTP request prelude, not the body (#93)

Security

Broaden credential filter and fail closed on malformed JSON in options export (#95)

Security Fixes

Fail closed on malformed JSON in options export — broadens credential filter (#95)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Burp Suite MCP by PortSwigger

Get notified when new releases ship.

About Burp Suite MCP by PortSwigger

MCP Server for Burp

All releases →