Skip to content

Migrate fastmcp from 2.x to 3.x across all MCP servers #205

Open
Open
Migrate fastmcp from 2.x to 3.x across all MCP servers#205
@krisrice

Description

@krisrice
krisrice
opened on Apr 18, 2026

Overview

All MCP servers in this repo currently pin fastmcp to versions in the 2.x line (2.12.2 or 2.14.2). The latest 2.x release is 2.14.7 and the latest 3.x release is 3.2.4.

fastmcp 3.0 is a major architectural rewrite and is the actively maintained line going forward. The 2.x line receives minimal updates.

Security Motivation

There are 8 published security advisories for fastmcp, with fixes concentrated in the 3.x releases:

Advisory Severity Description
GHSA-vv7q-7jx5-f767 High SSRF & Path Traversal in $ref resolution and skill downloads
GHSA-c2jp-c369-7pvx High Auth integration account takeover
GHSA-rww4-4w9c-7733 High Missing consent verification in OAuth proxy
GHSA-5h2m-4q8j-pqpj Moderate Improper token reuse across resources (violates RFC 8707)
GHSA-m8x7-r2rg-vh5g Moderate Command injection via server name
GHSA-mxxr-jv3v-6pgc Moderate Reflected XSS in client callback page
GHSA-rj5c-58rq-j5g5 Moderate Windows command injection
GHSA-rcfx-77hg-w2wv Low Requires MCP 1.23+

Key 3.x security hardening includes: JWT algorithm restrictions via JWKS, SSRF/path traversal prevention, OAuth scope enforcement, CSRF fixes, token audience binding (RFC 8707), file upload validation, and HTTP header isolation.

Affected Servers

Server Current Pin
oci-limits-mcp-server 2.12.2
oracle-db-doc-mcp-server 2.14.2
dbtools-mcp-server 2.14.2
oci-pricing-mcp-server 2.14.2
oci-faaas-mcp-server 2.14.2
oci-recovery-mcp-server 2.14.2
oci-networking-mcp-server 2.14.2
oci-compute-instance-agent-mcp-server 2.14.2
oci-usage-mcp-server 2.14.2
oci-resource-search-mcp-server 2.14.2
oci-cloud-guard-mcp-server 2.14.2
oci-migration-mcp-server 2.14.2
mysql-mcp-server 2.14.2
oci-api-mcp-server 2.14.2
oci-monitoring-mcp-server 2.14.2
oci-logging-mcp-server 2.14.2
oci-object-storage-mcp-server 2.14.2
oci-registry-mcp-server 2.14.2
oci-load-balancer-mcp-server 2.14.2
oci-identity-mcp-server 2.14.2
oci-cloud-mcp-server 2.14.2
oci-support-mcp-server 2.14.2
oci-compute-mcp-server 2.14.2
oci-database-mcp-server 2.14.2
oci-network-load-balancer-mcp-server 2.14.2

Near-term Action (non-breaking)

As an immediate improvement, bump all 2.14.2 pins to 2.14.7 and 2.12.2 to 2.14.7 — this is a safe patch/minor bump within 2.x that picks up available fixes without breaking changes.

Migration Tasks

  • Audit each server for fastmcp 2.x APIs that changed or were removed in 3.0
  • Review the fastmcp 3.0 migration guide for breaking changes
  • Update each server's pyproject.toml and requirements.txt to fastmcp>=3.2.4
  • Validate tool registration, server startup, and transport behavior under 3.x
  • Update integration and unit tests accordingly
  • Consider a single PR per server or a single bulk PR depending on test coverage confidence
  • Bump 2.x pins to 2.14.7 in the interim as a separate PR

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions