Skip to content

rps321321/obsidian-mcp-pro

v1.3.3 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Affected surfaces

auth

Summary

AI summary

Central error sanitizer prevents leaking absolute host paths and HTTP 500 responses now return generic messages.

Full changelog

Security

  • Central error sanitizer (lib/errors.ts) — fs errors no longer leak absolute host paths to MCP clients; errno codes collapsed to generic messages
  • HTTP 500 responses are now generic; full detail stays in server logs (SDK internals / file paths no longer reach the wire)

Reliability

  • moveNote case-rename deadlock fixed — when source/dest share a lock key (e.g. Note.mdnote.md on macOS/Windows) a single lock is used instead of nested
  • writeNote({ exclusive: true }) now does an explicit case-aware collision probe on case-insensitive filesystems, so Note.md cannot silently overwrite note.md
  • prependToNote frontmatter scan replaced with a bounded line-walker (500 lines / 64 KB cap) — no more event-loop stall on malformed or multi-MB notes
  • HTTP session sweeper — 1 h idle TTL, 5 min interval, unref'd timer; prevents transport/McpServer leaks from dropped clients
  • Oversize POST body drains cleanly and returns proper 413 (no req.destroy() race against the 500 writer)

Performance

  • Tag tools (get_tags, search_by_tag) now read notes with a bounded-concurrency pool (16) via new lib/concurrency.ts — was serial
  • install.ts config write is atomic — temp file + rename, so Claude Desktop or a concurrent editor never observes a half-written manifest

All 122 tests pass; tsc clean. Verified against the official MCP TypeScript SDK docs via Context7.

Security Fixes

  • lib/errors.ts central sanitizer collapses fs errors to generic messages, removing absolute host path disclosure
  • HTTP 500 responses now omit detailed internal information such as SDK internals and file paths
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track rps321321/obsidian-mcp-pro

Get notified when new releases ship.

Sign up free

About rps321321/obsidian-mcp-pro

Feature-complete Obsidian vault MCP server with 23 tools and 3 resources. Full-text search, note CRUD, frontmatter queries, tag management, backlinks, graph traversal (BFS up to 5 hops), orphan/broken link detection, and canvas support. Auto-detects vault, path traversal protection, MIT licensed.

All releases →

Related context

Beta — feedback welcome: [email protected]