Skip to content

ymw0407/auth-fetch-mcp

v3.0.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 22d MCP Browser & Automation
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

claude llm mcp playwright web-scrapper

Affected surfaces

auth rce_ssrf

ReleasePort's take

Light signal
editorial:auto 13d

ReleasePort v3.0.1 patches an SSRF vulnerability in auth_fetch and a path traversal flaw in download_media.

Why it matters: Patch to v3.0.1 immediately if you use auth_fetch or download_media; both vulnerabilities are fixed.

Summary

AI summary

Fixes SSRF and path traversal vulnerabilities in auth_fetch and download_media.

Changes in this release

Security Medium

SSRF vulnerability patched in auth_fetch and download_media functions

SSRF vulnerability patched in auth_fetch and download_media functions

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Path traversal vulnerability patched in download_media output_dir

Path traversal vulnerability patched in download_media output_dir

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Environment variables allow opt-in private and loopback host access

Environment variables allow opt-in private and loopback host access

Source: llm_adapter@2026-05-21

Confidence: high
Full changelog

Patches GHSA-hv85-774v-26fg: SSRF in auth_fetch and download_media, plus output_dir path traversal in download_media.

See the README's URL restrictions section for the new opt-in environment variables (AUTH_FETCH_ALLOW_PRIVATE, AUTH_FETCH_ALLOW_HOSTS) used to allow private/loopback hosts when needed.

Security Fixes

  • GHSA-hv85-774v-26fg — SSRF vulnerability in `auth_fetch` and `download_media`, plus path traversal in `download_media` via `output_dir`
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ymw0407/auth-fetch-mcp

Get notified when new releases ship.

Sign up free

About ymw0407/auth-fetch-mcp

Fetch content from login-protected web pages (Notion, Google Docs, Jira, Confluence, etc.) by opening a real browser for authentication with persistent session caching.

All releases →

Related context

Beta — feedback welcome: [email protected]