Gujasec

**Name of the Vulnerable Software and Affected Versions** MCP Registry versions 1.1.0 through 1.7.4 **Description** The TrailingSlashMiddleware in `internal/api/server.go` is susceptible to an open redirect. This occurs because the middleware strips trailing slashes from request paths and issues a 308 Permanent Redirect to the cleaned path without validating or sanitizing the resulting path. An attacker can craft a URL using a protocol-relative path (e.g., `//evil.com/`), which results in a Location header of `//evil.com` that browsers interpret as an absolute URL to an external domain. This can be leveraged for phishing, malware distribution, and abusing the trust of the official domain. **Recommendations** Update to version 1.7.5.