This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+6 more
Affected surfaces
ReleasePort's take
Light signalv0.14.2 rejects sensitive paths at startup and adds realpath boundary checks to the raw‑data ingest fast path, closing traversal vulnerabilities.
Why it matters: Security engineers must upgrade to v0.14.2 immediately; it blocks access to `/etc`, `~/.ssh` and prevents symlink‑escape attacks in ingest operations.
Summary
AI summarySensitive paths are rejected and the raw‑data ingest fast path adds realpath boundary checks to close traversal vulnerabilities.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Rejects sensitive paths (e.g., `/etc`, `~/.ssh`) at CLI and server startup, including realpath forms. Rejects sensitive paths (e.g., `/etc`, `~/.ssh`) at CLI and server startup, including realpath forms. Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Security | Medium |
Adds realpath boundary check to `raw-data` ingest fast path, preventing traversal and symlink‑escape. Adds realpath boundary check to `raw-data` ingest fast path, preventing traversal and symlink‑escape. Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Feature | Medium |
Adds `BASE_DIRS` env var to configure multiple document roots. Adds `BASE_DIRS` env var to configure multiple document roots. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Feature | Medium |
Adds repeatable `--base-dir` flag for `ingest` and `list` commands. Adds repeatable `--base-dir` flag for `ingest` and `list` commands. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Feature | Medium |
Modifies `list_files` to return `baseDirs: string[]` and per‑file `baseDir`. Modifies `list_files` to return `baseDirs: string[]` and per‑file `baseDir`. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
Places server in degraded mode on invalid `BASE_DIRS`; `status` remains callable, other tools return structured errors. Places server in degraded mode on invalid `BASE_DIRS`; `status` remains callable, other tools return structured errors. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
Moves configuration warnings to MCP tool responses instead of stderr. Moves configuration warnings to MCP tool responses instead of stderr. Source: llm_adapter@2026-05-23 Confidence: low |
— |
Full changelog
Added
BASE_DIRS— JSON array env var to configure multiple document roots, e.g.BASE_DIRS='["/a","/b"]'.- Repeatable
--base-dirforingestandlist. CLI roots replace env roots. - Precedence: CLI
--base-dir>BASE_DIRS>BASE_DIR>cwd.
Changed
- Configuration warnings (e.g.
BASE_DIRS is set; BASE_DIR is ignored.) now appear in MCP tool responses, not only stderr. list_filesreturnsbaseDirs: string[]and per-filebaseDir. LegacybaseDir(first effective root) is preserved.- Invalid
BASE_DIRSputs the server in degraded mode:statusstays callable for diagnosis, root-dependent tools return a structured error. No silent fallback.
Security
- Sensitive paths (
/etc,/usr,~/.ssh, ...) are rejected at both CLI and MCP server startup, including their realpath canonical forms (/private/etcon macOS). - The
raw-dataingest fast path is now gated by a realpath boundary check, closing traversal and symlink-escape vectors.
Security Fixes
- Sensitive paths (e.g., /etc, /usr, ~/.ssh) are rejected at startup; realpath canonical forms also blocked; raw‑data ingest fast path now gated by realpath boundary check closing traversal/symlink‑escape vectors.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About shinpr/mcp-local-rag
Privacy-first document search server running entirely locally. Supports semantic search over PDFs, DOCX, TXT, and Markdown files with LanceDB vector storage and local embeddings - no API keys or cloud services required.
Related context
Beta — feedback welcome: [email protected]