go-sdk icon indicating copy to clipboard operation
go-sdk copied to clipboard
Published 1 month ago verified publisher icon modelcontextprotocol

protect against attacks from MCP server URLs

Open jba opened this issue 4 months ago • 5 comments

https://verialabs.com/blog/from-mcp-to-shell documents some attacks that arise from trusting the authentication URLs served by MCP servers. We should fix this along the lines of https://github.com/modelcontextprotocol/typescript-sdk/pull/877, by preventing certain URL schemes.

jba avatar Sep 25 '25 00:09 jba

#539 addresses PRM, but we should also address auth server metadata and DCR as well, following https://github.com/modelcontextprotocol/typescript-sdk/pull/877.

jba avatar Sep 29 '25 15:09 jba

We can accept a PR from the community on this one.

samthanawalla avatar Sep 30 '25 14:09 samthanawalla

I think this issue should be close by https://github.com/modelcontextprotocol/go-sdk/pull/539

appleboy avatar Oct 15 '25 00:10 appleboy

is this issue still open ?

krtkvrm avatar Oct 29 '25 08:10 krtkvrm

@appleboy @krtkvrm per Jonathan's comment above (https://github.com/modelcontextprotocol/go-sdk/issues/526#issuecomment-3347545895), I think there is more to do here: "we should also address auth server metadata and DCR as well, following https://github.com/modelcontextprotocol/typescript-sdk/pull/877."

findleyr avatar Oct 29 '25 14:10 findleyr