Skip to content

Fix/memory server schema validation #2726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
domdomegg merged 1 commit into from
Sep 18, 2025
Merged

Fix/memory server schema validation #2726

domdomegg merged 1 commit into from
Sep 18, 2025
+26 −2

Conversation

@0dd
Copy link
Contributor

@0dd 0dd commented Sep 17, 2025

TLDR

Fix the critical Security Issue see the report

  • Add explicit property filtering in saveGraph method
  • Add additionalProperties constraints to input schemas

Description

Server Details

  • Server: Memory Server
  • Changes to: Tool

Motivation and Context

Security Issue: Please Check the report

How Has This Been Tested?

Test with Amazon Q and MCP CLI

Breaking Changes

All Users need to update to this version to prevent Security Issue (detailed in the link)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Protocol Documentation
  • My changes follows MCP security best practices
  • I have updated the server's README accordingly
  • I have tested this with an LLM client
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have documented all environment variables and configuration options

@0dd
Improve memory server schema validation
b97f97c 
- Add explicit property filtering in saveGraph method
- Add additionalProperties constraints to input schemas
@0dd
Copy link
Contributor Author

0dd commented Sep 17, 2025
edited
Loading

@olaservo @cliffhall Please take a look on this critical fix.

@olaservo
Copy link
Member

olaservo commented Sep 17, 2025

@0dd could you allow access to the doc? I just requested it with my google account.

@olaservo olaservo added bug Something isn't working server-memory Reference implementation for the Memory MCP server - src/memory labels Sep 17, 2025
@0dd
Copy link
Contributor Author

0dd commented Sep 17, 2025

@0dd could you allow access to the doc? I just requested it with my google account.

Thanks @olaservo added

@cliffhall
Copy link
Member

cliffhall commented Sep 17, 2025

I also requested access.

@0dd
Copy link
Contributor Author

0dd commented Sep 17, 2025

I also requested access.

Thanks @cliffhall added

cliffhall
cliffhall approved these changes Sep 17, 2025
View reviewed changes
Copy link
Member

@cliffhall cliffhall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍

@cliffhall cliffhall requested a review from olaservo September 17, 2025 19:37
@domdomegg domdomegg merged commit 52ab84c into modelcontextprotocol:main Sep 18, 2025
19 checks passed
@0dd
Copy link
Contributor Author

0dd commented Sep 18, 2025
edited by cliffhall
Loading

Since this is a security fix for the report, could we cut a patch release as the patched version: @modelcontextprotocol/server-memory@0.6.4? I didn’t bump the version in the PR. I assumed releases are handled in a separate commit and reviewed by the maintainer team.

We'll make a release out ASAP, it will change the server version to the dated release number.

@cliffhall
Copy link
Member

cliffhall commented Sep 18, 2025

Also, may you help open a GitHub Security Advisory and request a CVE for this issue? I’m a security researcher and would appreciate a CVE ID for attribution and tracking. For reference, I noticed the recent Server FileSystem advisories (e.g., CVE-2025-53110 and CVE-2025-53109) also managed by NPM. I previously submitted this via h1, but it wasn’t triaged. Could you help loop in the security team?

@jenn-newton

@0dd
Copy link
Contributor Author

0dd commented Oct 10, 2025

Hi team I saw this have been fixed in the version @modelcontextprotocol/server-memory@2025.9.25
Thank you all for the fix version build.

@jenn-newton @cliffhall Can you also help request the CVE for this one? I have also discussed the detailed threat model through discord.

The affected version was from npm version 0.2.0 till the date version <@2025.9.25

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cliffhall cliffhall cliffhall approved these changes

@domdomegg domdomegg domdomegg approved these changes

@olaservo olaservo Awaiting requested review from olaservo

Assignees

No one assigned

Labels

bug Something isn't working server-memory Reference implementation for the Memory MCP server - src/memory

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@0dd @olaservo @cliffhall @domdomegg