Skip to content

vinkius-labs/mcp-fusion

v3.1.19 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

mcp mcp-framework mcp-server model-context-protocol

Affected surfaces

auth rce_ssrf

Summary

AI summary

Fixed CLI entry‑point handling on Windows and prevented prototype pollution in FluentToolBuilder.

Full changelog

Fixed

  • CLI entry-point guard now handles Windows shim extensions (.cmd, .ps1, .cjs, .mjs, .exe) — previously \main()\ was silently skipped when invoked via npx/pnpm/yarn on Windows
  • \ usion dev\ reload now resolves the new registry before clearing the old one — if resolution fails (e.g. syntax error in user code), existing tools remain available instead of vanishing
  • \ usion deploy\ now warns when the deploy token would be sent over plaintext HTTP, adds a 60-second fetch timeout, and wraps
    es.json()\ in try/catch for non-JSON responses
  • FSM state gate now clones per-request even without an external \ smStore\ — concurrent SSE/stdio clients no longer share and mutate the same FSM instance, preventing cross-session workflow corruption
  • \FluentToolBuilder\ inline .use()\ middleware no longer merges enriched context via \Object.assign\ — dangerous keys (_proto_, \constructor, \prototype) are now filtered to prevent prototype pollution

Security Fixes

  • FluentToolBuilder .use() middleware now filters dangerous keys (__proto__, constructor, prototype) to prevent prototype pollution
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track vinkius-labs/mcp-fusion

Get notified when new releases ship.

Sign up free

About vinkius-labs/mcp-fusion

A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.

All releases →

Related context

Earlier breaking changes

  • v4.0.0 All packages now published under the `@mcpfusion` npm scope.
  • v4.0.0 GitHub repository renamed to vinkius-labs/mcpfusion; npm packages under @mcpfusion scope.
  • v4.0.0 All source code, documentation, CLI output, workflows, and npm packages now use the @mcpfusion scope.

Beta — feedback welcome: [email protected]