Security

Report vulnerabilities responsibly.

cxxmcp takes security seriously. This page explains how to report issues and what is in scope.

Supported Versions

Security fixes target the latest master branch and any active release candidate branch. Stable release-line support will be listed in release notes once cxxmcp declares a stable minor line.

Reporting a Vulnerability

Use GitHub private vulnerability reporting if it is enabled for the repository. If private reporting is not available, contact the maintainer through the GitHub profile and request a private channel.

Do not open a public issue with exploit details, credentials, tokens, private URLs, or proof-of-concept payloads.

What to Include

  • Affected commit, tag, or package version
  • Platform and compiler
  • Affected transport or SDK surface
  • Minimal reproduction steps
  • Expected impact
  • Whether the issue is already public

Scope

Security reports are appropriate for:

  • Parser crashes — JSON-RPC or HTTP parsing that crashes the process
  • Request smuggling — malformed requests that bypass validation
  • Transport/session isolation failures — cross-session data leaks
  • Unsafe process execution — command injection in process stdio transport
  • Credential leaks — tokens, keys, or secrets exposed in logs or responses
  • Auth bypasses — requests that skip authentication when required
  • Denial-of-service vectors — requests that exhaust memory, CPU, or file descriptors
  • Dependency vulnerabilities — CVEs in bundled dependencies that affect the SDK package

Process

The project will:

  • Acknowledge valid reports
  • Coordinate a fix with the reporter
  • Publish release notes or advisories when a public release is affected
  • Credit the reporter (unless they prefer anonymity)

Security-Related Design Decisions

  • Auth is opt-in (CXXMCP_ENABLE_AUTH=ON) — no auth code runs unless you enable it
  • OpenSSL is not vendored — resolved through system package managers or vcpkg
  • Process stdio transport validates response IDs to prevent request/response mismatch
  • HTTP transport validates Mcp-Method/Mcp-Name headers when present (SEP-2243)
  • Bearer tokens are passed via HTTP headers, never in URL query parameters