mcp-loadtest is a load-testing tool that spawns user-supplied processes, parses JSON-RPC over stdio/HTTP/SSE, and exposes a self-hosted MCP server (serve --mcp). Security issues in this tool can affect operators running it — not the end users of MCP servers being tested. Vulnerabilities in the MCP servers under test are the responsibility of those servers' authors.

Email teerapatv.c@gmail.com with a description of the issue and reproduction steps. Please do not file a public GitHub issue for security bugs.

I aim to acknowledge reports within 7 days and to coordinate a fix and public disclosure within 90 days of the initial report. Credit is given in the release notes unless you ask otherwise.

In scope:

• Child-process spawning and argv handling for the stdio transport (Session::spawn, command/args parsing).
• JSON-RPC framing and parsing (line reader, message dispatch).
• HTTP and SSE transports — URL handling, redirect policy, SSRF surface.
• serve --mcp mode — path traversal, unbounded stdin reads, OOM via large payloads, request validation.
• Supply chain — Cargo dependencies (cargo audit / cargo deny findings, advisory follow-up).

Out of scope:

• Vulnerabilities in MCP servers being tested. Report those to the server's maintainers.
• Social engineering of maintainers or contributors.
• DoS against the tool itself when run with deliberately malicious CLI input (e.g. --server "obviously malicious string"). We trust the operator's local CLI input.
• Issues that require pre-existing local code execution on the operator's machine.

Shipped in commit bae92c2:

• Path-traversal block in compare_runs — file arguments are canonicalized and rejected if they escape the expected runs directory.
• 16 MB line-read cap on stdio transport — protects against memory exhaustion from a malicious or buggy server emitting an unbounded line.
• Redirect policy set to none on HTTP/SSE transports — blocks redirect-based SSRF and prevents silent redirection to unintended hosts.

Only the latest 0.x release line receives security fixes. Once 1.0 ships, this policy will be revisited.