Ph0rse

Hi, i notice you have commit the deserialization bugs by https://seclists.org/oss-sec/2017/q3/184. That's a very meaningful safety reminder. But If there have some way to trigger the deserialization remotely? Through my...

遇到了同样的问题

这块儿咋触发呢？反序列化貌似只在web server从redis取数据的时候触发，貌似没啥用。如果已经可以改redis的数据了，那rce貌似也没啥用了……

### **First Issue:** This is not merely a proxy confusion issue. As shown in [https://github.com/cloudflare/ai/pull/99](https://github.com/cloudflare/ai/pull/99), simply adding warnings — whether displaying the proxy like `mcp-remote` or showing information about the...

I believe this is more of a bug than an enhancement discussion. The design of an authentication protocol is a one-way door decision — once implemented incorrectly, it becomes extremely...

> > Extraction of A account accesstoken, and unauthorized access to PayPal invoices and transaction data. > > Forgive me in not understanding the attack scenario. Shouldn't the user be...

> I believe this recommendation is already described in RFC9728: > > https://datatracker.ietf.org/doc/html/rfc9728#section-7.4 > > > If a client expects to interact with multiple resource servers, the client SHOULD request...

> > The key issue is that users have no reliable information to verify whether an MCP link is legitimate. Once the malicious MCP server address is configured, all subsequent...