🚨 [security] Update mcp 0.8.0 → 0.9.2 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ mcp (indirect, 0.8.0 → 0.9.2) · Repo · Changelog

Security Advisories 🚨

🚨 MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay

Summary

The Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data.

Details

Root Cause
The StreamableHTTPTransport implementation stores only one SSE stream object per session ID and lacks:

• Session-to-user identity binding
• Ownership validation when establishing SSE connections
• Protection against multiple simultaneous connections to the same session

PoC

Vulnerable Code

File: streamable_http_transport.rb - L336-L339:

def store_stream_for_session(session_id, stream)
  @mutex.synchronize do
    if @sessions[session_id]
      @sessions[session_id][:stream] = stream  # OVERWRITES existing stream
    else
      stream.close
    end
  end
end

Attack Scenario

Step 1: Legitimate Session Establishment

POST / (initialize) → receives session_id: "abc123"
GET / with Mcp-Session-Id: abc123 → SSE stream connected

Step 2: Session ID Compromise

• An attacker obtains the session ID through various means (out of scope for this analysis)

Step 3: Stream Hijacking

GET / with Mcp-Session-Id: abc123 
@sessions["abc123"][:stream] = attacker_stream `# Victim's stream is REPLACED (silently disconnected)

Step 4: Data Interception

• ALL subsequent tool responses/notifications go to the attacker
• The legitimate user receives no data and has no indication of the hijacking

Technical Details

The vulnerability happens:

Client 1 connects (GET request)

proc do |stream1|  # ← Rack server provides stream1 for client 1
 @sessions[session_id][:stream] = stream1  # Stored
end

Client 2 connects with SAME session ID (Attack!)

proc do |stream2|  # ← Rack provides stream2 for client 2
 @sessions[session_id][:stream] = stream2  # REPLACES stream1!
end

Now when the server sends notifications:

@sessions[session_id][:stream].write(data)  # Goes to stream2 (attacker!)
# stream1 (victim) receives nothing

Comparison: Python SDK Protection

The Python SDK prevents this vulnerability by rejecting duplicate SSE connections:

Refer: https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685

if GET_STREAM_KEY in self._request_streams:  # pragma: no cover
            response = self._create_error_response(
                "Conflict: Only one SSE stream is allowed per session",
                HTTPStatus.CONFLICT,
            )

When a duplicate connection attempt is detected, the Python SDK returns an HTTP 409 Conflict error, protecting the existing connection.

Recommended Mitigations
For SDK Maintainers

• Implement User Binding: All SDKs should bind session IDs to authenticated user identities where possible. Currently only, go-sdk and csharp-sdk do user binding.
• Ruby SDK: Prevent Duplicate Connections: Implement checks to reject or handle multiple simultaneous connections to the same session
• Improve Documentation: Provide clear guidance on secure session management implementation for SDK consumers

Steps To Reproduce:

Please find attached two python client files demonstrating the attack

Terminal 1:
ruby streamable_http_server.rb

Makes use of https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb
This server has a tool call notification_tool which the clients call

Terminal 2:

python3 legitimate_client_ruby_server.py

What happens:

• The client connects and prints the session ID
• Press Enter to start the SSE stream
• Notifications start appearing every 3 seconds as the client makes a tool call

Terminal 3 (while the legitimate client is running):

python3 attacker_client_ruby_server.py <SESSION_ID>

Replace <SESSION_ID> with the ID from Terminal 2.

What happens immediately:

• Terminal 2 (Legitimate): Stops receiving notifications, shows disconnect message
• Terminal 3 (Attacker): Starts receiving ALL the tool call responses

Impact

While the absence of user binding may not pose immediate risks if session IDs are not used to store sensitive data or state, the fundamental purpose of session IDs is to maintain stateful connections. If the SDK or its consumers utilize session IDs for sensitive operations without proper user binding controls, this creates a potential security vulnerability. For example: In the case of the Ruby SDK, the attacker was able to hijack the stream and receive all the tool responses belonging to the victim. The tool responses can be sensitive confidential data.

Additional Details

Session Hijacking Protection in MCP Implementations

The MCP specification recommends - "MCP servers SHOULD bind session IDs to user-specific information".

Current Implementation Status Across SDKs

Of the 10 official MCP SDKs, only the following implementations bind session IDs to user-specific information:

1. csharp-sdk - https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97
2. Go-sdk - https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2

attacker_client_ruby_server.py
legitimate_client_ruby_server.py
The remaining SDKs do not implement session-to-user binding. Most implementations only verify that a session ID exists, without validating ownership. Additionally, SDK documentation does not provide clear guidance on implementing secure session management, leaving security responsibilities unclear for SDK consumers.

Release Notes

0.9.1

Added

• Allow Client#call_tool to accept a tool name (#266)

Fixed

• Return 404 for invalid session ID in handle_delete (#261)

0.9.0

Added

• MCP::Client::Stdio transport (#262)
• Progress notifications per MCP specification (#254)
• Automatic _meta parameter extraction support (#172)
• CORS and Accept wildcard support for browser-based MCP clients (#253)

Changed

• Use autoload to defer loading of unused subsystems (#255)
• Reduce release package size (#239)

Fixed

• Return 404 for invalid session ID in handle_regular_request (#257)
• Use mutex-protected session_exists? in handle_regular_request (#258)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 36 commits:

• Merge pull request #272 from koic/release_0_9_2
• Release 0.9.2
• Merge pull request #273 from koic/use_accessor_in_server_context_with_meta
• Use accessor method in `server_context_with_meta` instead of ivar
• Merge commit from fork
• Reject duplicate SSE connections with 409 to prevent stream hijacking
• Merge pull request #267 from koic/release_0_9_1
• Release 0.9.1
• Merge pull request #266 from koic/allow_client_call_tool_to_accept_a_tool_name
• Allow `Client#call_tool` to accept a tool name
• Merge pull request #261 from koic/return_404_for_invalid_session_id_in_handle_delete
• Merge pull request #264 from koic/release_0_9_0
• Release 0.9.0
• Merge pull request #262 from koic/stdio_client_transport
• Return 404 for invalid session ID in `handle_delete`
• Add `MCP::Client::Stdio` transport
• Merge pull request #260 from koic/use_missing_session_id_response_helper_in_handle_delete
• Use `missing_session_id_response` method in `handle_delete`
• Merge pull request #258 from koic/use_mutex_protected_session_exists_predicate
• Use mutex-protected `session_exists?` in `handle_regular_request`
• Merge pull request #257 from koic/return_404_for_invalid_session_id
• Return 404 for invalid session ID in `handle_regular_request`
• Merge pull request #256 from koic/remove_dead_code_in_handle_regular_request
• Merge pull request #255 from koic/use_autoload_to_defer_loading_of_unused_subsystems
• Merge pull request #253 from koic/support_cors_and_accept_wildcard_for_browser_based_mcp_clients
• Remove dead code in `handle_regular_request`
• Use `autoload` to defer loading of unused subsystems
• Merge pull request #254 from koic/support_progress_notification_per_mcp_spec
• Merge pull request #239 from koic/reduce_release_package_size
• Support progress notifications per MCP specification
• Support CORS and Accept wildcard for browser-based MCP clients
• Merge pull request #252 from koic/fix_rails_controller_example_to_return_202_for_notifications
• [Doc] Fix Rails controller example to return 202 for notifications
• Merge pull request #172 from erickreutz/add-meta-extraction-support
• Add automatic _meta parameter extraction support
• Merge pull request #251 from modelcontextprotocol/dependabot/github_actions/actions/setup-node-6

↗️ bigdecimal (indirect, 4.0.1 → 4.1.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 30 commits:

• Bump version to 4.1.0 (#505)
• Fix error compiling with ruby.wasm (#504)
• Increase BigMath converge test precisions (#503)
• Fix erfc(x,prec) precision when x is huge (#502)
• Update depend files, etc (#499)
• Use bit_length to calculate NTT bit size (#498)
• Remove DECDIG=uint16_t branch. BigDecimal already requires uint64_t from v3.1.0 (#497)
• Simplify butterfly operation of Number Theoretic Transform (#496)
• Merge pull request #494 from ruby/dependabot/github_actions/rubygems/release-gem-1.1.4
• Merge pull request #495 from ruby/dependabot/github_actions/step-security/harden-runner-2.16.0
• Bump step-security/harden-runner from 2.15.1 to 2.16.0
• Bump rubygems/release-gem from 1.1.2 to 1.1.4
• Merge pull request #493 from ruby/dependabot/github_actions/step-security/harden-runner-2.15.1
• Bump step-security/harden-runner from 2.14.1 to 2.15.1
• Add missing sig file (#492)
• Add RBS signature and testing (#488)
• Split internal extra calculation prec and BigDecimal.double_fig usage (#486)
• Add missing call-seq (#485)
• Remove calculating log(10) in BigMath.log for large/small x (#484)
• Improve taylor series calculation of exp and sin by bit burst algorithm (#433)
• Implement BigMath::PI with Gauss-Legendre algorithm (#434)
• NTT multiplication and Newton-Raphson division (#407)
• Merge pull request #483 from ruby/dependabot/github_actions/actions/checkout-6.0.2
• Merge pull request #482 from ruby/dependabot/github_actions/step-security/harden-runner-2.14.1
• Bump actions/checkout from 6.0.1 to 6.0.2
• Bump step-security/harden-runner from 2.14.0 to 2.14.1
• Change frozen_string_literal from false to true (#481)
• Improve performance of add/sub when exponent of two bigdecimals have huge difference (#478)
• Sample code without deprecated modules (#480)
• Remove ENABLE_NUMERIC_STRING flag (#479)

↗️ json-schema (indirect, 6.1.0 → 6.2.0) · Repo · Changelog

Release Notes

6.2.0

What's Changed

New Features 🎉

• Add Ruby 4.0 support by @bastelfreak in #564
• Restore support for Ruby 2.7 – Ruby 3.1 by @koic in #561
• Allow disabling MultiJSON even when it is installed by @jordan-brough in #566

New Contributors

• @koic made their first contribution in #561
• @jordan-brough made their first contribution in #566

Full Changelog: v6.1.0...v6.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

• Merge pull request #571 from bastelfreak/rel620
• Release 6.2.0
• Merge pull request #566 from jordan-brough/jordan/allow-disabling-multi-json
• add a deprecation warning when multi_json is used
• in dev, allow verion of multi_json compatible with Ruby 2.7
• rubocop tweaks
• Allow disabling MultiJSON even when it is installed
• Merge pull request #570 from voxpupuli/dependabot/github_actions/actions/download-artifact-8
• Merge pull request #569 from voxpupuli/dependabot/github_actions/actions/upload-artifact-7
• Bump actions/download-artifact from 7 to 8
• Bump actions/upload-artifact from 6 to 7
• Merge pull request #561 from koic/restore_support_for_ruby_2_7_to_3_1
• Restore support for Ruby 2.7 – Ruby 3.1
• Merge pull request #564 from bastelfreak/ruby4
• Merge pull request #562 from bastelfreak/anno
• Add GitHub annotations for minitest
• Add Ruby 4.0 support

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[github-actions]

Package	Line Rate	Health
dynamoid	92%	➖
Summary	92% (3823 / 4135)	➖

Minimum allowed line rate is 90%