github doobidoo/mcp-memory-service v10.65.3
v10.65.3 — Security Fix (GHSA-2r68-g678-7qr3, CVSS 8.1) + CI Docker Fix
on GitHub

6 hours ago

Security Advisory

GHSA-2r68-g678-7qr3 — CVSS 8.1, CWE-862 (Missing Authorization)

OAuth read-only clients could invoke mutating MCP tools (store_memory, delete_memory, and related write operations) via the /mcp/tools/call endpoint despite holding only a read-scope token.

Affected versions: v10.0.0 – v10.65.1 (all versions with MCP HTTP transport + OAuth)
Fixed in: v10.65.3

Upgrade immediately if you use the HTTP MCP transport with OAuth.

What's Changed

Security

  • fix(security): enforce write scope on MCP tools/call (#1004): Added _WRITE_TOOLS set; OAuth scope checked before dispatch for all mutating tools. Unauthorized calls return JSON-RPC error -32003 and HTTP 403. 4 regression tests added.

CI

  • ci: restrict quality-cpu Docker build to linux/amd64 only (#1003, closes #1002): The quality-cpu image build was hitting the 6-hour GitHub Actions timeout on every release since v10.64.0 due to QEMU-emulated arm64 cross-compilation. Platforms now restricted to linux/amd64. arm64 users: use :slim or :latest (both multi-arch).

Upgrade

pip install --upgrade mcp-memory-service==10.65.3
# or
uvx mcp-memory-service@10.65.3

Full changelog: CHANGELOG.md

Check out latest releases or
releases around doobidoo/mcp-memory-service v10.65.3

Don't miss a new mcp-memory-service release

NewReleases is sending notifications on new releases.

Get notifications