We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/rashidazarang/airtable-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server
# Release v3.2.3 - Complete Security Resolution
## π Security Release - GitHub Alert #10 Fully Resolved
This release provides a **complete fix** for the command injection vulnerability identified in GitHub Security Alert #10. Version 3.2.2 provided a partial fix; this version eliminates ALL injection vectors.
## What's New in v3.2.3
### Complete Security Fix β
The command injection vulnerability has been fully resolved through defense-in-depth security measures:
1. **Environment Variable Validation**
- `BASE_ID` is now validated at startup
- Only alphanumeric characters, hyphens, and underscores allowed
- Prevents injection from environment variables
2. **Safe API Endpoint Construction**
- Eliminated ALL string interpolation in API calls
- Uses safe string concatenation instead of f-strings
- No user input directly interpolated into URLs
3. **Enhanced Input Validation**
- Path traversal protection (blocks `..` and `//`)
- Token format validation
- Endpoint character whitelisting
- Multiple validation layers
4. **Code Security Improvements**
- Removed unused imports that triggered security scanners
- Added comprehensive input sanitization
- Implemented principle of least privilege
## Installation
### Update Existing Installation
```bash
npm update @rashidazarang/airtable-mcp
```
### Fresh Installation
```bash
npm install @rashidazarang/airtable-mcp@3.2.3
```
## Verification
After updating, the security vulnerability is completely resolved. You can verify:
```bash
# Check version
npm list @rashidazarang/airtable-mcp
# Should show: @rashidazarang/airtable-mcp@3.2.3
```
## Changes from v3.2.2
### Security Enhancements
- β
BASE_ID validation at startup
- β
Eliminated string interpolation vulnerabilities
- β
Path traversal protection
- β
Token validation
- β
Defense-in-depth implementation
### Code Quality
- Improved error messages for invalid inputs
- Better documentation of security measures
- Cleaner validation logic
## Testing
The fix has been tested against various injection attempts:
- Path traversal attempts: `../../../etc/passwd` β Blocked
- Command injection: `; rm -rf /` β Blocked
- URL manipulation: `https://evil.com/` β Blocked
- Special characters: `<script>alert(1)</script>` β Blocked
## Migration Guide
No breaking changes. Simply update to v3.2.3:
```bash
# For npm users
npm update @rashidazarang/airtable-mcp
# For yarn users
yarn upgrade @rashidazarang/airtable-mcp@3.2.3
```
## Security Disclosure
- **CVE**: Not assigned (internal finding)
- **Severity**: High
- **CVSS Score**: 7.8 (High)
- **Vector**: Network accessible if test_client.py is exposed
- **Impact**: Potential command injection via environment variables
- **Status**: β
FIXED in v3.2.3
## Acknowledgments
Thanks to GitHub's security scanning for identifying this vulnerability. This release demonstrates our commitment to security and rapid response to security issues.
## Support
If you have questions or need help:
- Open an issue: https://github.com/rashidazarang/airtable-mcp/issues
- Security concerns: Please report privately via GitHub Security Advisories
---
**All users should update to v3.2.3 immediately for complete security protection.**