Skip to content

vinkius-labs/mcp-fusion

v3.7.8 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

mcp mcp-framework mcp-server model-context-protocol

Affected surfaces

auth breaking_upgrade

Summary

AI summary

Security hardening adds session rate limiting, ID validation, JSON parsing safety, concurrent session caps, CORS support, auth callback, edge guard, HMAC secret check, and new server options.

Full changelog

Security Hardening

HTTP Transport

  • Rate limiting per session (token bucket, 600 req/min default)
  • Session ID format validation (UUID v4)
  • Safe JSON body parsing with HTTP 400 on malformed input
  • Max concurrent sessions limit (1000 default, HTTP 503)
  • CORS configuration with preflight support

Authentication

  • onAuthFailure callback for JWT and API-Key middleware (telemetry integration)

Edge Runtime

  • Prototype pollution guard on __vinkius_edge_setState

Cryptographic Attestation

  • HMAC secret strength validation (warns in development, throws in production for < 32 chars)

Documentation

  • Enhanced SandboxGuard security model documentation

New Options

  • StartServerOptions.rateLimitPerMinute (default: 600)
  • StartServerOptions.maxSessions (default: 1000)
  • StartServerOptions.cors (CorsConfig)
  • RequireJwtOptions.onAuthFailure
  • RequireApiKeyOptions.onAuthFailure

Tests

  • 50 new regression tests across 4 test files

Security Fixes

  • HTTP transport now enforces session ID UUID v4 validation, safely parses JSON bodies returning HTTP 400 on malformed input, limits concurrent sessions to 1000 with HTTP 503 overflow, implements CORS preflight support, adds prototype‑pollution guard in Edge Runtime, and validates HMAC secret strength (warning in dev, error in prod for < 32 chars).
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track vinkius-labs/mcp-fusion

Get notified when new releases ship.

Sign up free

About vinkius-labs/mcp-fusion

A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.

All releases →

Related context

Earlier breaking changes

  • v4.0.0 All packages now published under the `@mcpfusion` npm scope.
  • v4.0.0 GitHub repository renamed to vinkius-labs/mcpfusion; npm packages under @mcpfusion scope.
  • v4.0.0 All source code, documentation, CLI output, workflows, and npm packages now use the @mcpfusion scope.

Beta — feedback welcome: [email protected]