Releases: AiondaDotCom/mcp-ssh
Release v1.3.8
1.3.7 - Dependency security updates
Security maintenance
Resolves all open npm audit advisories by bumping transitive dependencies. npm audit --audit-level=high now reports zero vulnerabilities.
GHSAs resolved
Production dependency chain (@modelcontextprotocol/sdk → express → router → path-to-regexp):
path-to-regexpDoS via sequential optional groups (GHSA-j3q9-mxjg-w52f)path-to-regexpReDoS via multiple wildcards (GHSA-27v5-c462-wpq7)
These were not exploitable in practice because mcp-ssh uses the SDK over STDIO and never touches the HTTP routing code paths the advisories apply to — but they are fixed anyway.
Development dependency chain (vitest / test tooling):
hono— 6 advisories (prototype pollution, cookie handling, IP matching, path traversal, middleware bypass)@hono/node-server— middleware bypass via repeated slashesnode-forge— 4 high-severity crypto advisoriesbrace-expansion— DoS via zero-step sequencepicomatch— method injection + ReDoSvite— path traversal,server.fs.denybypass, arbitrary file read
The vite fix required a minor bump of vitest and @vitest/coverage-v8 from 4.0.18 to 4.1.4.
Verification
npm audit --audit-level=high→ 0 vulnerabilitiesvitest run→ 99/99 tests green
Upgrade
npm install -g @aiondadotcom/mcp-ssh@1.3.7 or update your client config to use npx @aiondadotcom/mcp-ssh@latest.
1.3.6 - Fix Windows startup (issue #8)
Bug fix
Fixes a silent startup failure when launching the server via bin/mcp-ssh.js on Windows MCP clients (e.g. Antigravity), which manifested as a failed to initialize: EOF error in the client.
Cause
server.mjs had an isMainModule heuristic that compared process.argv[1] against forward-slash path suffixes (/mcp-ssh.js, /server.mjs, /mcp-ssh). On Windows, process.argv[1] uses backslashes, so none of those endsWith checks matched and main() was never called. The process exited silently, and the MCP client saw STDIO close immediately.
Fix
The isMainModule heuristic has been removed entirely. bin/mcp-ssh.js now imports main() from server.mjs and calls it explicitly. This is the only real entry point and works identically on every platform.
Credit
Upgrade
npm install -g @aiondadotcom/mcp-ssh@1.3.6 or update your client config to use npx @aiondadotcom/mcp-ssh@latest.
Contributors
Assets 2
1.3.5 - Security fix (high)
Security fix (high severity)
This release fixes a high-severity local RCE in the MCP server and ships several related hardenings. All users should upgrade.
What was vulnerable
A crafted hostAlias such as -oProxyCommand=... was passed to ssh/scp without an argument terminator. SSH interprets arguments starting with - as options regardless of position, so the option-injection caused SSH to execute the attacker-supplied ProxyCommand locally on the machine running the MCP server — before any network connection. This bypassed the documented protection of # @password: annotations and exposed local SSH keys, browser cookies, other MCP server credentials, and anything else readable by the server process.
A second local-RCE vector existed on Windows: spawn(..., { shell: true }) was used so that ssh.exe/scp.exe could be found via PATH. With shell: true, every argument is re-parsed by cmd.exe, so shell metacharacters (&, |, ^, >, ", ;, …) in hostAlias, command, localPath or remotePath would have been interpreted by cmd.exe and could have triggered arbitrary local command execution on Windows.
Threat model
The MCP server runs locally over STDIO, but the LLM driving it is not trusted: its tool arguments can be steered by prompt injection from any untrusted text in the conversation context (web pages, e-mails, repository files, output of other MCP servers). The attack does not require a malicious user — it requires only that the LLM ingests attacker-controlled text at any point.
What was fixed
- Add
--argument terminator to allssh/scpinvocations. - Strict whitelist for
hostAlias(^[A-Za-z0-9_.@:][A-Za-z0-9._@:-]*$) — rejects leading-and shell metacharacters. - Known-host check: every
hostAliasmust be defined in~/.ssh/config(includingIncludedirectives) or present in~/.ssh/known_hosts. The LLM can no longer reach arbitrary hostnames the user has not explicitly configured. - Resolve
ssh.exe/scp.exeto absolute paths once at startup viaPATH+PATHEXTwalk on Windows; useshell: falseeverywhere. expandIncludePath()now handles Windows drive-letter and UNC paths correctly and accepts~\pathwith backslash separators.- Drop hard-coded
DISPLAY=:0from the askpass environment (POSIX/X11 assumption that could break Windows). - Documented threat model and trust boundaries in
README.md. - Regression tests for option-injection, shell-metacharacter injection, unknown-host rejection,
Includedirectives andknown_hostsentries (99 tests, all green).
Affected versions
< 1.3.5
Fixed in
1.3.5
Credit
Reported by Pico (@piiiico) as part of an MCP server security audit. Thank you for the responsible disclosure.
Upgrade
npm install -g @aiondadotcom/mcp-ssh@1.3.5 or update your claude_desktop_config.json to use npx @aiondadotcom/mcp-ssh@latest.
Contributors
Assets 2
Release v1.0.3 - Desktop Extension
MCP SSH Agent v1.0.3 - Desktop Extension
What's New
- Desktop Extension Support: One-click installation for Claude Desktop
- Fixed Configuration: Corrected manifest.json for reliable extension loading
- Improved Stability: Native SSH command integration for maximum compatibility
Installation Options
Option 1: Desktop Extension (Recommended)
- Download the
mcp-ssh-1.0.3.dxtfile below - Open Claude Desktop
- Go to Settings > Extensions
- Click "Install from file" and select the downloaded .dxt file
- Restart Claude Desktop
Option 2: Manual Configuration
Add to your Claude Desktop config:
{
"mcpServers": {
"mcp-ssh": {
"command": "npx",
"args": ["@aiondadotcom/mcp-ssh"]
}
}
}Features
- List and connect to SSH hosts from ~/.ssh/config
- Execute remote commands securely
- Upload/download files via SCP
- Batch command execution
- Host connectivity testing
Requirements
- Node.js 14+
- SSH client installed
- Properly configured SSH keys
🤖 Generated with Claude Code