Skip to content

V1.17.3

Choose a tag to compare

View all tags
@SepineTam SepineTam released this 19 May 16:50
· 61 commits to master since this release
v1.17.3
a13b9e7

Stata-MCP v1.17.3

Release Date: May 20, 2026
Type: Security Fix

What's New

This release patches 8 security vulnerabilities discovered during a comprehensive security audit, including a critical command injection via log_file_name parameter (issue #74).

Changes

  • Security: Fix critical log_file_name injection vulnerability that allowed arbitrary Stata command execution via crafted log file names (closes #74).
  • Security: Add dofile_path control character validation to prevent quote and backtick injection in Stata do commands.
  • Security: Add log path traversal protection using resolve() and is_relative_to() checks.
  • Security: Harden guard validator against colon-prefix bypasses (quietly:, capture:, noisily:).
  • Security: Reject #delimit ; syntax in guard mode to prevent delimiter-based command smuggling.
  • Security: Enhance macro expansion detection to catch local/global macro bypasses with arguments and compound quotes.
  • Security: Add python, mata, java, and plugin commands to the dangerous commands blacklist.
  • Tests: Add comprehensive regression tests for all 8 security fixes.
  • Docs: Add Codex installation instructions to README and Chinese translation.
Assets 2
Loading