Security Advisory
This patch release resolves a medium-severity information-exposure vulnerability (CWE-209) in the consolidation recommendations API endpoint.
Security Fix
Sanitize consolidation recommendations response (CodeQL alert #356 — py/stack-trace-exposure)
The GET /api/consolidation/recommendations endpoint could previously expose internal exception messages, raw Python data-structure representations, and stack-trace fragments to API clients via unhandled serialisation errors.
Changes in src/mcp_memory_service/web/api/consolidation.py:
recommendationfield value is now validated against an explicit allowlist (consolidate,maintain,archive,review); any value outside this set is replaced with the safe string"unknown".- All type conversions (
int(),float(),datetime.fromisoformat()) are now wrapped intry/exceptblocks that substitute safe fallback values (0,0.0,null) instead of propagating raw exception text to the HTTP response. - Full exception details continue to be recorded via
logger.error()for operator visibility; only the sanitised payload is sent to clients.
Severity: Medium (CVSS 2.0 baseline, internal data only — no credentials or PII exposed)
CWE: CWE-209 (Information Exposure Through an Error Message)
Introduced in: v10.17.14 partial fix left one code path unpatched
Fixed in: v10.18.1
Upgrade
pip install --upgrade mcp-memory-service
# or
uv add mcp-memory-service==10.18.1All users running the HTTP API server (python scripts/server/run_http_server.py) are encouraged to upgrade.
Changelog
See CHANGELOG.md for the full entry.