We actively support the following versions of ExcelMcp with security updates:

ExcelMcp includes several security measures:

• Path Traversal Protection: All file paths are validated with Path.GetFullPath()
• File Size Limits: 1GB maximum file size to prevent DoS attacks
• Extension Validation: Only .xlsx and .xlsm files are accepted
• Path Length Validation: Maximum 32,767 characters (Windows limit)

• Enhanced Security Rules: CA2100, CA3003, CA3006, CA5389, CA5390, CA5394 enforced as errors
• Treat Warnings as Errors: All code quality issues must be resolved
• CodeQL Scanning: Automated security scanning on every push

• Controlled Excel Automation: Excel.Application runs with Visible=false and DisplayAlerts=false
• Resource Cleanup: Comprehensive COM object disposal and garbage collection
• No Remote Connections: Only local Excel automation supported

• Dependabot: Automated dependency updates and security patches
• Dependency Review: Pull request scanning for vulnerable dependencies
• Central Package Management: Consistent versioning across all projects

We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:

Please do not create a public GitHub issue for security vulnerabilities. This could put all users at risk.

Report security vulnerabilities using one of these methods:

Preferred Method: GitHub Security Advisories

1. Go to https://github.com/sbroenne/mcp-server-excel/security/advisories
2. Click "Report a vulnerability"
3. Fill out the advisory form with detailed information

Alternative: Email Send an email to: [maintainer email - to be added]

Subject: [SECURITY] ExcelMcp Vulnerability Report

Please provide as much information as possible:

• Description: Clear description of the vulnerability
• Impact: What could an attacker do with this vulnerability?
• Affected Versions: Which versions are affected?
• Proof of Concept: Steps to reproduce (if possible)
• Suggested Fix: If you have a fix or mitigation (optional)

Example:

Vulnerability: Path traversal in file operations
Impact: Attacker could read/write files outside intended directory
Affected Versions: 1.0.0 - 1.0.2
PoC: ExcelMcp.exe pq-export "../../../etc/passwd" "query"
Suggested Fix: Validate resolved paths are within allowed directories

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 5 business days
• Status Updates: Regular updates on progress
• Fix Timeline:
  • Critical: 7 days
  • High: 30 days
  • Medium: 90 days
  • Low: Best effort

We follow responsible disclosure practices:

1. Private Fix: We'll develop a fix privately
2. Security Advisory: Create GitHub Security Advisory
3. CVE Assignment: Request CVE if applicable
4. Public Release: Release patch with security notes
5. Credit: We'll credit you in the release notes (if desired)

• Validate AI Requests: Review Excel operations requested by AI assistants
• File Path Restrictions: Only allow MCP Server access to specific directories
• Audit Logs: Monitor MCP Server operations in logs
• Trust Configuration: Only enable VBA trust when necessary

• Script Validation: Review automation scripts before execution
• File Permissions: Ensure Excel files have appropriate permissions
• Isolated Environment: Run in sandboxed environment when processing untrusted files
• Excel Security Settings: Maintain appropriate Excel macro security settings

• Code Review: All changes require review before merge
• Branch Protection: Main branch protected with required checks
• Signed Commits: Consider using signed commits (recommended)
• Least Privilege: Run with minimal required permissions

• Local Only: ExcelMcp only supports local Excel automation
• Windows Only: Requires Windows with Excel installed
• Excel Process: Creates Excel.Application COM objects
• Macro Security: VBA operations require user consent via setup-vba-trust

• Full Path Resolution: All paths resolved to absolute paths
• No Network Paths: UNC paths and network drives not supported
• Current User Context: Operations run with current user permissions

• Trusted AI Assistants: Only use with trusted AI platforms
• Request Validation: Review operations before Excel executes them
• Sensitive Data: Avoid exposing workbooks with sensitive data to AI assistants
• Audit Trail: MCP Server logs all operations

Security updates are published through:

• GitHub Security Advisories: https://github.com/sbroenne/mcp-server-excel/security/advisories
• Release Notes: https://github.com/sbroenne/mcp-server-excel/releases
• NuGet Advisories: Package vulnerabilities shown in NuGet

Subscribe to repository notifications to receive security alerts.

• We will acknowledge receipt of vulnerability reports within 48 hours
• We will keep reporters informed of progress
• We will credit researchers in security advisories (if desired)
• We will not take legal action against researchers following responsible disclosure

• Responsible Disclosure: Give us time to fix before public disclosure
• No Harm: Do not access, modify, or delete other users' data
• Good Faith: Act in good faith to help improve security
• Legal: Follow all applicable laws

• GitHub Security: https://github.com/sbroenne/mcp-server-excel/security
• Maintainer: @sbroenne

• OWASP Top 10
• Microsoft Security Response Center
• CVE Database
• National Vulnerability Database

Last Updated: 2024-10-19

Thank you for helping keep ExcelMcp and its users safe!