Skip to content

v2.0.2

Choose a tag to compare

View all tags
@benoitc benoitc released this 23 May 15:02
· 6 commits to main since this release
v2.0.2
fe8b8dc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

A security release from a release-time review of the 2.0.x HTTP transport and the auth providers. No public API changes.

Security

  • Authentication is enforced on every Streamable HTTP verb. GET (open SSE) and DELETE (terminate session) previously ran no auth provider; the Mcp-Session-Id alone gated them, so a leaked session id let a caller read a session's server-to-client SSE traffic or terminate sessions without a credential. Both verbs now run the same auth gate as POST, before any session lookup. No-op under barrel_mcp_auth_none.
  • Resource, prompt and completion handler crashes no longer leak exception terms to the client. resources/read, prompts/get and completion/complete serialised the caught Class:Reason into the JSON-RPC error (only tools/call was fixed in 2.0.1). They now log server-side and return a generic message.
  • The built-in listener caps concurrent connections. With idle_timeout at infinity (so long-lived SSE GETs are never reaped) a connection lived until the peer closed it, so a connection flood or slow/idle clients could exhaust file descriptors and memory. Each listener now bounds established connections (default 16384, max_connections option).
  • Basic-auth unknown-user timing matches the configured mode. When hash_passwords was false the unknown-user path ran PBKDF2 while the configured path ran a fast SHA-256 compare, revealing username existence by timing. The stand-in now matches the active mode.

Fixed

  • The client reported version 2.0.0 in client_info; it now matches the library version, and the README dependency example no longer pins the stale v1.3.0 tag.

Full Changelog: v2.0.1...v2.0.2

Assets 2
Loading