MCP.so
登录

Server Attestation

@studiomeyer-io

关于 Server Attestation

Layer-2 supply-chain hardening for MCP servers — Ed25519-signed tool manifests, runtime spawn-attestation, default-deny argument sanitizer. Defends against marketplace-poisoning + CVE-2025-69256 + CVE-2025-61591.

基本信息

许可证

MIT

运行时

node

发布者

studiomeyer-io

提交者

Matthias Meyer - StudioMeyer

配置

使用下面的配置,将此服务器添加到你的 MCP 客户端。

{
  "mcpServers": {
    "mcp-server-attestation": {
      "command": "npx",
      "args": [
        "mcp-attest-demo"
      ]
    }
  }
}

工具

未检测到工具

工具是从 README 中自动提取的。维护者可以在 ## Tools 标题下列出工具,即可填充这部分内容。

概览

What is Server Attestation?

Layer-2 supply-chain hardening for MCP servers — Ed25519-signed tool manifests, runtime spawn-attestation, default-deny argument sanitizer. Defends against marketplace-poisoning + CVE-2025-69256 + CVE-2025-61591.

How to use Server Attestation?

The README includes setup instructions such as npx mcp-attest-demo.

Key features of Server Attestation

  • CVE-2025-69256 — Serverless Framework MCP RCE via child_process.exec() command injection
  • CVE-2025-61591 — Cursor MCP RCE through OAuth-installed malicious server with spawn hijack
  • Canonical JSON is the signed surface. Re-serialisation cannot change the signed bytes
  • Sandbox or containerise the server process
  • OAuth flow hardening (separate mcp-oauth-shield build)

Use cases of Server Attestation

  • Connect an MCP-compatible client to this repository's service.
  • Review the README-backed setup before enabling it in production.

FAQ from Server Attestation

Where is the source code for Server Attestation?

The source code is linked from the repository URL on this page.

Does Server Attestation include a standard MCP config?

If the README contains a parseable MCP configuration block, it is shown in the Config tab.

评论

更多 MCP 服务器