Skip to content

AAP-59950: CVE-2025-66416: mcp: upgrade to 1.24 #142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
goneri wants to merge 1 commit into
base: main
Choose a base branch
from
Open

AAP-59950: CVE-2025-66416: mcp: upgrade to 1.24 #142

goneri wants to merge 1 commit into from

Conversation

@goneri
Copy link
Contributor

@goneri goneri commented Dec 15, 2025
edited by cursor bot
Loading

Upgrade MCP Python SDK to 1.24 to address CVE-2025-66416

Note

Upgrades mcp to 1.24 and updates dependency manifests/lockfile, adding required transitive deps (pyjwt, pywin32, etc.).

  • Dependencies:
    • Upgrade mcp from ~1.9.4 to ~1.24 in pyproject.toml and requirements.txt.
    • Update uv.lock accordingly: mcp -> 1.24.0 with new deps (jsonschema, pyjwt[crypto], typing-extensions, typing-inspection, optional pywin32).
    • Add pyjwt==2.10.1 and conditional pywin32==311 to requirements.txt.
  • Lock/metadata:
    • Regenerate uv.lock entries reflecting new mcp version and transitive dependency graph.

Written by Cursor Bugbot for commit fcce961. This will update automatically on new commits. Configure here.

@goneri goneri marked this pull request as draft December 15, 2025 16:11
cursor[bot]
cursor bot reviewed Dec 15, 2025
View reviewed changes
@goneri goneri changed the title AAP-59950: CVE-2025-66416: mcp: upgrade to 1.23 AAP-59950: CVE-2025-66416: mcp: upgrade to 1.24 Dec 15, 2025
@goneri goneri force-pushed the goneri/AAP-59950-CVE-2025-66416-mcp-upgrade-to-1.23_7941 branch from 749390c to cb190a4 Compare December 15, 2025 16:17
@goneri goneri marked this pull request as ready for review December 16, 2025 22:03
@goneri goneri mentioned this pull request Dec 16, 2025
Closed
2 tasks
@ldjebran
Copy link
Contributor

ldjebran commented Dec 17, 2025

@goneri have you test it with mcp servers ?

@goneri
Copy link
Contributor Author

goneri commented Dec 17, 2025

@goneri have you test it with mcp servers ?

It's a work in progress, there is a thread about this on Slack.

@goneri goneri mentioned this pull request Dec 17, 2025
Closed
1 task
@goneri
Copy link
Contributor Author

goneri commented Dec 18, 2025

Works as expected
image

@goneri goneri requested review from ldjebran and romartin December 18, 2025 22:41
ldjebran
ldjebran approved these changes Dec 19, 2025
View reviewed changes
Copy link
Contributor

@ldjebran ldjebran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ldjebran
Copy link
Contributor

ldjebran commented Dec 19, 2025

seems you will need to update the requirements.txt file

@goneri
AAP-59950: CVE-2025-66416: mcp: upgrade to 1.24
fcce961 
Upgrade MCP Python SDK to 1.24 to address CVE-2025-66416
@goneri goneri force-pushed the goneri/AAP-59950-CVE-2025-66416-mcp-upgrade-to-1.23_7941 branch from cb190a4 to fcce961 Compare December 19, 2025 14:25
@goneri goneri requested review from ldjebran and romartin December 19, 2025 14:25
manstis
manstis approved these changes Dec 19, 2025
View reviewed changes
Copy link
Contributor

@manstis manstis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@romartin romartin Awaiting requested review from romartin

@ldjebran ldjebran Awaiting requested review from ldjebran

+1 more reviewer

@manstis manstis manstis approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@goneri @ldjebran @manstis @romartin