Skip to content

deps: bump mcp lower bound to 1.23.0 for GHSA-9h52-p55h-vw2f#927

Open
joaquinhuigomez wants to merge 1 commit into
anthropics:mainfrom
joaquinhuigomez:fix/mcp-cve-2025-66416
Open

deps: bump mcp lower bound to 1.23.0 for GHSA-9h52-p55h-vw2f#927
joaquinhuigomez wants to merge 1 commit into
anthropics:mainfrom
joaquinhuigomez:fix/mcp-cve-2025-66416

Conversation

@joaquinhuigomez
Copy link
Copy Markdown

@joaquinhuigomez joaquinhuigomez commented May 7, 2026

mcp versions >=1.19.0,<1.23.0 are affected by GHSA-9h52-p55h-vw2f (CVE-2025-66416), which disables DNS rebinding protection by default for HTTP-based localhost MCP servers. mcp 1.23.0 enables that protection, so requiring >=1.23.0 prevents new claude-agent-sdk installs from resolving to a vulnerable mcp version.

Fixes #921

@joaquinhuigomez
deps: bump mcp lower bound to 1.23.0 for GHSA-9h52-p55h-vw2f
25dc99a 
mcp >=1.19.0,<1.23.0 is affected by GHSA-9h52-p55h-vw2f (CVE-2025-66416),
which disables DNS rebinding protection by default for HTTP-based
localhost MCP servers. mcp 1.23.0 enables that protection, so requiring
>=1.23.0 prevents new claude-agent-sdk installs from resolving to a
vulnerable mcp version.

Fixes anthropics#921
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Tighten mcp dependency to >=1.23.0 due to CVE-2025-66416

1 participant

@joaquinhuigomez