rps321321/obsidian-mcp-pro

Security and correctness patch on top of 1.8.0. Upgrade strongly recommended for any deployment that uses OBSIDIAN_READ_PATHS or OBSIDIAN_WRITE_PATHS.

Critical

A path-allowlist bypass via .. segments was found in assertAllowed. v1.8.0 evaluated the allowlist against the raw user-supplied path before path.resolve collapsed ... A request like Allowed/../OtherFolder/note.md slipped past the prefix check (the string starts with Allowed/) and the resolved read or write landed in a folder outside the allowlist. The vault-traversal check still passed because the resolved path stayed inside the vault root, so the bypass was invisible to the existing guards.

Fixed: assertAllowed now collapses .. via path.posix.normalize and rejects any path whose normalized form climbs above its starting point. Six regression tests cover the bypass classes (escape into a different folder, climb above vault root, leading .., backslash-encoded variant, write-side variant, plus an allowed traversal that lands back inside the same folder).

If you run with allowlists set, upgrade now.

High

• HTTP timeout on every embedding-provider fetch (AbortSignal.timeout(30_000)). A hung Ollama or OpenAI endpoint used to hang the tool call indefinitely and hold the MCP session open.
• TOCTOU race in rename_tag closed. Rewrites now run inside the updateNote transform so concurrent writes between the read and the lock-acquired write can no longer be silently overwritten.
• search_semantic and find_similar_notes invalidate stale vectors. Switching embedding models and querying before re-indexing used to produce meaningless cosine scores with no warning. Both tools now call invalidateIfIncompatible after loadStore.

Medium

• Bases filter recursion guard. evaluateFilter now caps recursion at 64 levels so a pathological .base file with deeply nested and/or/not blocks can no longer overflow the V8 stack.
• updateNote skips disk writes when the transform returned unchanged content. No more spurious mtime bumps from no-op tools (replace_in_note with zero matches, rename_tag on notes without occurrences).
• Provider error bodies truncated to 200 chars before interpolation into thrown Error messages.

Low

• Empty accept elicitation responses are now cancellations, not errors. delete_note no longer surfaces an error when the user dismisses the form without filling it in.
• Cache snapshot eviction order is now deterministic. Entries are sorted by content length ascending before serialization so small entries fill the 64 MB budget first.
• update_section reports accurate byte counts using Buffer.byteLength instead of string.length (off by 2x for multi-byte content).

Tests

• 444 passing (was 438), +6 regression tests on the permission bypass classes.

Install or upgrade

npx -y [email protected] install

Or pin in your MCP client config:

{
  "mcpServers": {
    "obsidian": {
      "command": "npx",
      "args": ["-y", "[email protected]"]
    }
  }
}

Full changelog: CHANGELOG.md