We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 0.8.x | ✅ |
| < 0.8 | ❌ |
We take the security of MuJoCo MCP seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to security@mujoco-mcp.org (or create a private security advisory on GitHub).
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
We prefer all communications to be in English.
When we receive a security bug report, we will:
- Confirm the problem and determine the affected versions
- Audit code to find any potential similar problems
- Prepare fixes for all supported releases
- Release new security patch versions as soon as possible
When using MuJoCo MCP, we recommend the following security practices:
- Always validate and sanitize XML input before loading MuJoCo models
- Verify model files come from trusted sources
- Use the built-in validation functions before loading models
- When using the MCP server, bind to localhost (127.0.0.1) by default
- Use authentication and encryption when exposing the server over network
- Keep the server behind a firewall in production environments
- Keep all dependencies up to date
- Regularly run
pip install --upgrade mujoco-mcp - Monitor security advisories for MuJoCo and other dependencies
- Set appropriate timeouts for simulations
- Limit the complexity of models that can be loaded
- Monitor memory usage in long-running simulations
- Be cautious when loading models from untrusted sources
- Models can contain custom XML that may affect simulation behavior
- Review model files before loading in production environments
MuJoCo XML parsing may be vulnerable to XXE attacks if external entities are enabled. We disable external entity resolution by default. Do not enable external entities when parsing untrusted XML.
MuJoCo model files can contain plugin references and custom elements. Only load models from trusted sources in production environments.
Very large or complex models can consume significant CPU and memory. Implement resource limits when accepting models from untrusted sources.
We would like to thank the following individuals for responsibly disclosing security issues:
- (No reports yet - be the first!)
When a security vulnerability is found:
- We will work with the reporter to understand and verify the issue
- We will develop and test a fix
- We will release the fix and publish a security advisory
- We will credit the reporter (unless they wish to remain anonymous)
We ask that you:
- Give us reasonable time to fix the issue before public disclosure
- Make a good faith effort to avoid privacy violations and service disruption
- Do not access or modify data that doesn't belong to you
Thank you for helping keep MuJoCo MCP and our users safe!