| Version | Supported |
|---|---|
| 0.9.x | Yes |
| < 0.9 | No |
If you discover a security vulnerability in rust-mcp-sdk, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Use GitHub Security Advisories
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Severity | Acknowledgment | Resolution |
|---|---|---|
| Critical (P0) | 1 business day | 7 days |
| High (P1) | 2 business days | 14 days |
| Medium (P2) | 5 business days | 30 days |
| Low (P3) | 10 business days | Next release |
- We acknowledge receipt within the timeline above
- We investigate and confirm the vulnerability
- We develop a fix in a private branch
- We release the fix and publish a security advisory
- We credit the reporter (unless they prefer anonymity)
This policy covers:
rust-mcp-sdk— MCP protocol implementationrust-mcp-transport— Transport layer (stdio, SSE, streamable HTTP)rust-mcp-axum— Axum HTTP integrationrust-mcp-actix— Actix HTTP integrationrust-mcp-macros— Proc-macro code generationrust-mcp-schema— Protocol schema types
- DNS Rebinding: Localhost MCP servers must validate Host/Origin headers. The SDK provides
DnsRebindingOptionsmiddleware for this purpose. - Transport Security: Stdio transport is local-only. HTTP transports should use TLS in production.
- Input Validation: Tool input schemas are validated by the SDK. Servers should additionally validate business logic.