GHSA-j7h9-2jh7-g967: mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening

May 7, 2026

mcp-ssh-tool has released version 2.1.1 with security hardening for transfer path authorization and HTTP bearer authentication.

The release addresses:

insufficient local path policy enforcement in transfer-related filesystem handling
incomplete canonicalization and segment-boundary handling for deny-prefix path policy checks
non-constant-time HTTP bearer token comparison

References

github.com/advisories/GHSA-j7h9-2jh7-g967
github.com/oaslananka/mcp-ssh-tool
github.com/oaslananka/mcp-ssh-tool/security/advisories/GHSA-j7h9-2jh7-g967

Code Behaviors & Features

Detect and mitigate GHSA-j7h9-2jh7-g967 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →