zhangpanda/gomcp

v1.4.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 1mo MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

ai claude cursor gin go grpc

+5 more

kiro mcp mcp-server model-context-protocol openapi

Affected surfaces

auth rbac

ReleasePort's take

Light signal

editorial:auto 22d

Version v1.4.0 corrects OpenTelemetry span naming and Prometheus metric labeling for the tool name, improving observability.

Why it matters: Patch to v1.4.0 immediately if you rely on accurate tracing or metrics; mislabeled spans can obscure performance issues.

Summary

AI summary

Fixed OpenTelemetry span naming and Prometheus metric labeling for the tool name.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Official gRPC adapter example added in examples/grpc-adapter/ (no protoc needed) Official gRPC adapter example added in examples/grpc-adapter/ (no protoc needed) Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Benchmark tests for 4 hot paths added in benchmark_test.go Benchmark tests for 4 hot paths added in benchmark_test.go Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Soak test for memory stability added in soak_test.go Soak test for memory stability added in soak_test.go Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Endurance test for sustained SSE over 10 seconds added in transport/sse_endurance_test.go Endurance test for sustained SSE over 10 seconds added in transport/sse_endurance_test.go Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Three step-by-step guides added to docs/cookbook/ Three step-by-step guides added to docs/cookbook/ Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	CI now includes Windows matrix and release-please manual trigger CI now includes Windows matrix and release-please manual trigger Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	Tool call latency reduced from 12µs to 9µs, allocations decreased by 20% (66 → 53) Tool call latency reduced from 12µs to 9µs, allocations decreased by 20% (66 → 53) Source: llm_adapter@2026-05-21 Confidence: high	—
Performance	Medium	Memory growth stable at 1.06x over 30 seconds sustained load Memory growth stable at 1.06x over 30 seconds sustained load Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	_tool_name now visible to middleware (OpenTelemetry spans and Prometheus metrics correctly labeled) _tool_name now visible to middleware (OpenTelemetry spans and Prometheus metrics correctly labeled) Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Session leak in stdio mode fixed; memory usage stable under sustained load Session leak in stdio mode fixed; memory usage stable under sustained load Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Session leak in stdio mode fixed by reusing a single default session when no `Mcp-Session-Id` header is present Session leak in stdio mode fixed by reusing a single default session when no `Mcp-Session-Id` header is present Source: granite4.1:30b@2026-05-23-audit Confidence: high	—
Bugfix	Medium	Redundant JSON unmarshal in handleToolsCall eliminated Redundant JSON unmarshal in handleToolsCall eliminated Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Path traversal, empty content, and marshal errors resolved (round-4 review) Path traversal, empty content, and marshal errors resolved (round-4 review) Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	API key scrub bypass, group tool race, and inspector XSS mitigated (round-3 review) API key scrub bypass, group tool race, and inspector XSS mitigated (round-3 review) Source: llm_adapter@2026-05-21 Confidence: low	—
Refactor	Medium	Adapter now URL-escapes path params, includes gRPC discovery, and rate-limit clock adjustments Adapter now URL-escapes path params, includes gRPC discovery, and rate-limit clock adjustments Source: llm_adapter@2026-05-21 Confidence: low	—
Other
Other	Medium	Auth middleware error shape clarified (isError result, not JSON-RPC error) Auth middleware error shape clarified (isError result, not JSON-RPC error) Source: llm_adapter@2026-05-21 Confidence: low	—
Other	Medium	Provider version field renames tool to name@version Provider version field renames tool to name@version Source: llm_adapter@2026-05-21 Confidence: low	—
Other	Medium	Cookbook links added to README Cookbook links added to README Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

GoMCP v1.4.0

Bug Fixes

_tool_name invisible to middleware — OpenTelemetry spans were mcp.tool.unknown, Prometheus metrics had empty tool labels. Fixed by setting _tool_name before the middleware chain fires.
Session leak in stdio mode — every tool call created a new session object. 30s sustained load: 2MB → 227MB. Fixed: reuse a single default session when no Mcp-Session-Id header is present.
Redundant JSON unmarshal — handleToolsCall parsed params twice per call. Eliminated.
Path traversal, empty content, marshal errors (round-4 review)
API key scrub bypass, group tool race, inspector XSS (round-3 review)
Adapter: URL-escape path params, gRPC discovery, rate-limit clock
Schema: nested/array validation + concurrent race + map type

Performance

Tool call: 12µs → 9µs, 66 → 53 allocs (-20%), 46k calls/s
Memory: stable at 1.06x growth over 30s sustained load

New

examples/grpc-adapter/ — official gRPC adapter example (no protoc needed)
benchmark_test.go — 4 hot-path benchmarks
soak_test.go — memory stability assertion
transport/sse_endurance_test.go — 10s sustained SSE test
docs/cookbook/ — 3 step-by-step guides
CI: Windows matrix + release-please (manual trigger)

Docs

Auth middleware error shape clarified (isError result, not JSON-RPC error)
Provider version field renames tool to name@version
Cookbook links added to README

Full Changelog: https://github.com/zhangpanda/gomcp/compare/v1.3.0...v1.4.0

Security Fixes

API key scrub bypass fix
Group tool race condition mitigation
Inspector XSS vulnerability remediation

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track zhangpanda/gomcp

Get notified when new releases ship.

About zhangpanda/gomcp

A Gin-like framework for building MCP servers in Go. Struct-tag auto schema, middleware chain, auth, tool groups, adapters for Gin/OpenAPI/gRPC, async tasks, Inspector UI.

All releases →