v0.7.5 — Security patch: CORS & DNS rebinding (GHSA-vrxg-gm77-7q5g)

Security fix

This release addresses GHSA-vrxg-gm77-7q5g reported by @dodge1218.

What was wrong

HTTP transports (sse, streamable-http) emitted Access-Control-Allow-Origin: * unconditionally, allowing any cross-origin browser page to open an unauthenticated MCP session and invoke the PowerShell tool. There was also no Host header validation, leaving localhost-bound servers open to DNS rebinding attacks.

What changed

• No wildcard CORS by default. OptionsMiddleware and CORSMiddleware no longer emit Access-Control-Allow-Origin: *. Without an explicit origin list, no CORS headers are sent — browsers block cross-origin requests via Same-Origin Policy.
• --cors-origins opt-in. Operators who need a browser-based MCP client can pass a comma-separated list of trusted origins (--cors-origins https://my-client.example.com). Only those origins receive CORS headers. Also available as WINDOWS_MCP_CORS_ORIGINS env var and cors_origins in ~/.windows-mcp/config.toml.
• DNS rebinding protection. TrustedHostMiddleware is now applied automatically based on the bind address (loopback → localhost/127.0.0.1/[::1]; specific host → that host). Requests whose Host header doesn't match are rejected before reaching the MCP control plane.

Upgrade

uvx windows-mcp@0.7.5 serve
# or
pip install --upgrade windows-mcp

No configuration changes are required for the default stdio transport or for existing HTTP deployments that don't rely on cross-origin browser access.

Release v0.7.4

Fixes

• Detected double caching of tree nodes, making 2 COM calls per node, now 1 COM call per node, further improved the tree traversal speed.
• Updated the MCP config for setting Windows-MCP in Claude Desktop from Windows Store.
• Handling UIA Errors Cleanly in UIA
• PowerShell Tool missing environment variables fix (Thanks to @JezaChen)

Windows-MCP v0.7.1

Added

• Added PowerShell execution logic extraction into a clean, static PowerShellExecutor class for improved code organization and stability (#158)
• Added MSIX App path resolutions to support natively launching MSIX / UWP Windows applications for AI agents (#126)
• Added Dependabot configuration for weekly and grouped updates to streamline package management (#145, #125)
• Added WINDOWS_MCP_SCREENSHOT_SCALE environment variable to documentation and explicitly handle coordinate mismatches across multiple displays (#116)
• Added .idea/ to .gitignore to exclude JetBrains IDE configurations natively (#120)
• Added dependency lock mapping for cryptography<=46.0.6 to guarantee win_arm64 ARM PyPI installation stability (#149)

Fixed

• Fixed process attachment AttachThreadInput "Access Denied" errors when interacting with protected or elevated processes (#123)
• Fixed graceful two-stage subprocess timeouts for Windows process trees to prevent orphaned tasks (#151)
• Fixed mouse coordinate mismatches by replacing screenshot_size with screenshot_original_size for precise desktop plotting (#116)
• Fixed Snapshot crashes caused by comtypes VARIANT marshaling on non-ASCII application UI layouts (#148)
• Fixed UI rendering breakages by stripping out Unicode Private Use Area characters from tool readouts (#120)
• Fixed Notification tool failing to display toast messages silently (#121)
• Fixed missing scroll attributes in scrape tool (#119)
• Prevented child process freezes by ensuring stdin=DEVNULL is passed to the shell loaders natively

v0.7.0

What's Changed

• fix: keyboard focus not transferred when switching foreground window by @JezaChen in #106
• fix: import _INPUTUnion from enums to fix NameError by @JezaChen in #108
• fix: resolve Known Folder GUID paths before launching apps by @JezaChen in #110
• feat: Screenshot tool with DXCam backend reporting and UIAutomation hang fix by @yasuhirofujii-medley in #104
• refactor: extract tool definitions into tools/ subpackage by @yasuhirofujii-medley in #111
• fix: validate app ID via shell:AppsFolder instead of string check by @JezaChen in #112

Full Changelog: v0.6.9...v0.7.0

v0.6.9

v0.6.9

Improvements

• Tool discoverability — Added keyword synonyms to App, PowerShell, Snapshot, Scrape, Clipboard, Process, and Registry descriptions so AI clients surface the right tool on the first search
• Scrape sampling — Scrape now uses MCP sampling to summarise webpage content server-side, eliminating markdown bloat in the caller's context. New query param to focus extraction; use_sampling=False to get raw content

Bug Fixes & Features

• #98 Snapshot fast screenshot-only path via use_ui_tree=False, skipping expensive accessibility tree traversal for vision-only workflows (Thanks to @yasuhirofujii-medley)
• #97 App resize mode now accepts name to target a specific window directly without switching focus first (Thanks to @JezaChen)
• #96 Switching to a minimized window now restores and focuses it in a single call — (Thanks to @JezaChen)
• #95 Snapshot exposes use_annotation=False to return clean screenshots without bounding box overlays (Thanks to @yasuhirofujii-medley)
• #94 Snapshot accepts display=[0] / display=[0,1] to limit output to specific monitors in multi-monitor setups (Thanks to @xqdd)

Install

uvx windows-mcp==0.6.9

v0.6.2

Changes in v0.6.2

• Extended boolean parameter compatibility to the \desktop\ module.
• Improved handling of tool arguments from LLMs.
• Updated 'manifest.json' for 'mcpb' compatibility in Claude Desktop (Thanks to @bryan-anthropic ).

Changes in v0.6.1

• Fixed Shell tool output issues (Thanks to @yakub268).
• Improved boolean parameter compatibility for main tool definitions.

v0.6.0 - Performance & Stability Improvements

What's Changed

• Performance Optimization: Fixed tool execution latency caused by PostHog analytics interference. Analytics are now batched asynchronously, resulting in ~6x faster tool completion times.
• Improved Initialization: Fixed the issue where the MCP server took too much time to initialize.
• Bug Fixes: Resolved the 'Thread Detach Error' that occurred when switching between applications.

Key Performance Gains

• Removed blocking network calls in tools.
• Reduced server startup time.
• More stable application lifecycle management.

Windows-MCP v0.5.8

Fixes

• Removed dependency on live-inspect

Refactoring

• Migrated from the uiautomation library, for more comprehensive use of the Accessibility API.

Windows-MCP v0.5.4

Features

• Added support to check only the DOM content inside the browser for State-Tool
• Used the DOM content from the tree used in Scrape-Tool

Refactor

• Refactored the code base to support installation as uvx from PYPI.

Windows-MCP v0.3

Fixes

• Fixed issues with windows in Chinese language (Thank you @tangflash).
• Fixed issues vscode when using tools (Thank you @Klauxs )
• Fixed minor issues in the Switch-Tool