This release includes 1 security fix for security teams reviewing exposed deployments.
Published 3mo
MCP Developer Tools
✓ No known CVEs patched
This release patches 1 known CVE
Topics
mcp
mcp-framework
mcp-server
model-context-protocol
Affected surfaces
auth
Summary
AI summaryFixed token file permission leak on Windows and several validation/serialization bugs.
Full changelog
Fixed
- TokenManager now restricts file permissions on Windows via icacls - mode 0o600 is silently ignored on NTFS, so saved tokens and device codes were readable by any local user
- ZodCompiler.compileArray() now prefers minItems/maxItems over legacy minLength/maxLength for array constraints - previously emitted incorrect validation for arrays
- HttpHandlerFactory no longer adds Content-Type application/json to GET and HEAD requests - prevents servers from rejecting body-less requests
- RefResolver deep-clones ref targets before recursive resolution - multiple refs to the same definition no longer share a single mutable object
- ToolSynthesizer.toToolName() (n8n) now throws when the sanitized name is empty - previously returned empty string, producing an invalid MCP tool definition
Security Fixes
- TokenManager now restricts file permissions on Windows to mode 0o600, preventing readable tokens by any local user
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About vinkius-labs/mcp-fusion
A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.
Related context
Related tools
Beta — feedback welcome: [email protected]