Skip to content

vinkius-labs/mcp-fusion

v3.1.25 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

mcp mcp-framework mcp-server model-context-protocol

Affected surfaces

auth rbac

Summary

AI summary

Fixed FSM gate bypass on tool calls and added bounded LRU snapshot store limiting memory usage.

Full changelog

Fixed

  • *FSM gate enforcement on \ ools/call* (Bug #107): \ServerAttachment\ \createToolCallHandler\ now enforces the FSM State Gate at dispatch — previously only filtered \ ools/list, allowing clients that knew a tool's name to bypass the gate and call it regardless of FSM state. Rejected calls return a structured \ oolError('FORBIDDEN')\ with current state, blocked tool name, and available actions.

  • Bounded FSM snapshot store (Bug #108): \ServerAttachment\ in-memory FSM snapshot store now uses a bounded LRU map (max 10,000 entries) — previously used an unbounded \Map\ that never evicted entries, causing linear memory growth proportional to unique session count in long-running servers.

Security Fixes

  • FSM gate now enforced on tool call dispatch, preventing bypass of state checks (Bug #107)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track vinkius-labs/mcp-fusion

Get notified when new releases ship.

Sign up free

About vinkius-labs/mcp-fusion

A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.

All releases →

Related context

Earlier breaking changes

  • v4.0.0 All packages now published under the `@mcpfusion` npm scope.
  • v4.0.0 GitHub repository renamed to vinkius-labs/mcpfusion; npm packages under @mcpfusion scope.
  • v4.0.0 All source code, documentation, CLI output, workflows, and npm packages now use the @mcpfusion scope.

Beta — feedback welcome: [email protected]