OSS security research in the AI-agent / MCP ecosystem.
Reference-tier infrastructure (largest blast radius):
| GHSA | Vendor | Class | PoC |
|---|---|---|---|
| GHSA-4m3j-875h-rwg6 | modelcontextprotocol/python-sdk (Anthropic-governed reference SDK) |
CWE-770 pre-auth memory exhaustion (single 500 MiB POST grows RSS 14×) | Empirical, runnable |
| GHSA-66mv-62mm-hwrx | modelcontextprotocol/typescript-sdk |
CWE-770 same primitive in Hono + Node adapters (Express adapter safe by default) | Source-confirmed |
Vendor-specific findings:
| GHSA | Vendor | Class |
|---|---|---|
| GHSA-p4v8-qmvx-f922 | ByteDance UI-TARS-desktop / agent-tars | CWE-918 SSRF via browser_navigate |
| GHSA-j38f-59cc-6pm8 | PrefectHQ/fastmcp | CWE-352 DNS-rebinding CSRF (curl PoC) |
| GHSA-h7xc-pfh4-7mjv | continuedev/continue | CWE-78 RCE via .continue/mcpServers/*.json auto-spawn |
| GHSA-6h4j-54wp-57c4 | continuedev/continue | CWE-352 DNS-rebinding in cn serve HTTP API |
| GHSA-j327-qp7v-xj94 | run-llama/llama_index | CWE-94 pickle.load on shared persist_dir |
| GHSA-43x5-wwvx-7g3m | mlflow/mlflow | CWE-22 zipslip |
| GHSA-hfj5-88mp-26jq | cloudflare/workers-sdk | CWE-732 credential-file permissions |
| GHSA-2h7j-3573-w5f2 | browser-use/browser-use | CWE-732 Gmail-token leak |
| GHSA-79w5-8gp7-73mp | FlowiseAI/Flowise | CWE-732 master encryption key world-readable |
Plus 7+ more (full ledger 18 entries) across cline, prisma, replicate, hexclave/stack-auth, agentmail-to, upbit-official/upbit-cli, tursodatabase/turso-cli.
- Rich-Harris/degit #404, tiged/tiged #164 — CWE-78 shell-template → execFile-argv
- FlowiseAI/Flowise #6420, fwdcloudsec/granted #944 — CWE-732 file-mode hardening
- huggingface/huggingface_hub #4234 — token-file TOCTOU fix (merged, shipped in v1.16.0)
- Open: prisma#29568 · microsoft/genaiscript#1969 · langchain-ai/langgraph#7873 · others
imjyy2.0@gmail.com- West Vancouver, BC (Pacific time, UTC-8)