Skip to content

vinkius-labs/mcp-fusion

v3.6.2 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 2mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

mcp mcp-framework mcp-server model-context-protocol

Affected surfaces

auth rce_ssrf

Summary

AI summary

Fixed prompt injection via markdown code fences and greedy JSON extraction, added configurable HTTP body size limit to prevent DoS.

Full changelog

Security

  • HTTP body size limit — DoS/OOM prevention (Bug #149) — The HTTP transport handler now enforces a configurable maxBodyBytes limit (default: 4MB). Requests exceeding the limit are rejected with HTTP 413 via dual-layer protection: Content-Length pre-flight check and streaming byte counter. Prevents attackers from sending multi-GB payloads that crash the server.

  • Prompt injection via markdown code fence escape (Bug #150)buildInputFirewallPrompt() and buildFirewallPrompt() now sanitize backticks in user-controlled data before embedding in markdown code fences. Previously, arguments containing triple backticks could escape the code block and inject arbitrary instructions into the LLM judge prompt, bypassing the security firewall.

  • Greedy JSON extraction replaced (Bug #150)parseJudgePass() and extractDetailedRejections() now use a new extractLastJson() function that scans backward from the last } with brace-depth counting, replacing the greedy regex that could capture non-JSON prose.

Added

  • maxBodyBytes option in StartServerOptions for configurable HTTP body size limit
  • extractLastJson() utility for robust JSON extraction from LLM responses (internal)

Test Suite

  • 198 new adversarial security tests across 6 test files covering backtick injection, fence escape patterns, unicode bypasses, multi-byte character attacks, Content-Length manipulation, streaming guard attacks, compound attack payloads, and realistic LLM response parsing.

Security Fixes

  • Sanitizes backticks in `buildInputFirewallPrompt()` and `buildFirewallPrompt()` to prevent markdown code fence escape prompt injection (Bug #150)
  • Replaced greedy regex with `extractLastJson()` for safe JSON extraction in `parseJudgePass()` and `extractDetailedRejections()` (Bug #150)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track vinkius-labs/mcp-fusion

Get notified when new releases ship.

Sign up free

About vinkius-labs/mcp-fusion

A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.

All releases →

Related context

Earlier breaking changes

  • v4.0.0 All packages now published under the `@mcpfusion` npm scope.
  • v4.0.0 GitHub repository renamed to vinkius-labs/mcpfusion; npm packages under @mcpfusion scope.
  • v4.0.0 All source code, documentation, CLI output, workflows, and npm packages now use the @mcpfusion scope.

Beta — feedback welcome: [email protected]