github doobidoo/mcp-memory-service v10.25.1
v10.25.1 — Security patch: CORS hardening + soft-delete fix
on GitHub

latest releases: v10.40.3, v10.40.2, v10.40.1...
one month ago

Security Fixes

GHSA-g9rg-8vq5-mpwm — Wildcard CORS Default (HIGH)

Impact: When HTTP server is enabled with anonymous access, the default wildcard CORS configuration (*) allowed any website to silently read, modify, and delete all stored memories via cross-origin JavaScript requests.

Fix:

  • MCP_CORS_ORIGINS now defaults to http://localhost:8000,http://127.0.0.1:8000 instead of *
  • allow_credentials is automatically set to False when wildcard origins are configured
  • A startup warning is logged if wildcard is explicitly set via environment variable

Action required: If you set MCP_CORS_ORIGINS=* explicitly, remove it or replace with your actual dashboard origin.

GHSA-x9r8-q2qj-cgvw — TLS Verification in Peer Discovery (HIGH)

Formally closed. The fix (PEER_VERIFY_SSL=True default) was already present in v10.25.0. Advisory published to document the resolution.

Bug Fix

  • Soft-delete leak in search_by_tag_chronological(): Missing AND deleted_at IS NULL filter caused tombstoned memories to appear in chronological tag search results.

Upgrade

pip install --upgrade mcp-memory-service

Or via git: 

git pull && pip install -e .
Check out latest releases or
releases around doobidoo/mcp-memory-service v10.25.1

Don't miss a new mcp-memory-service release

NewReleases is sending notifications on new releases.

Get notifications