On November 25, 2025 the Model Context Protocol working group shipped the 2025-11-25 revision of the specification, marking one year since Anthropic open-sourced MCP. The new revision is the first to land after the June 18, 2025 authorization overhaul and after the explosion of vulnerabilities — CVE-2025-49596 in MCP Inspector, CVE-2025-54136 in Cursor, the GitHub MCP private-repo exfiltration, and 30+ CVEs catalogued in the first 60 days of 2026 — that pushed the working group toward a more security-aware design. The headline addition is Tasks, a new abstraction that lets clients track long-running server work, but the release also formalises URL Mode Elicitation, tightens streamable HTTP transport, and surfaces enterprise readiness as a top-four 2026 roadmap item. For defenders running MCP at scale, this revision changes the shape of the audit trail in ways policy gates have to keep up with.
What changed in the November 25, 2025 release?
Three structural changes matter for security. First, any MCP request can now be augmented with a Task, an asynchronous handle the client polls for status and results, with a server-defined retention window. Second, URL Mode Elicitation extends the June 2025 elicitation primitive so servers can request the user complete an interaction at a remote URL — useful for OAuth-style consent screens, dangerous if the URL points at a phishing page. Third, the Streamable HTTP transport is now the canonical remote transport, replacing the deprecated HTTP+SSE pairing introduced in March 2025; sessions are explicitly stateful and require Mcp-Session-Id headers. The November blog post from the working group flagged horizontal scaling and registry-friendly metadata as remaining gaps that 2026 SEPs will address.
Why does the Tasks primitive matter for audit logs?
Before Tasks, a 30-hour Claude Sonnet 4.5 agent run that invoked a database.migrate tool would surface as a single tool call with a single response. With Tasks, the same call can return a task_id immediately, and the client polls tasks/get and tasks/result until completion. That is operationally cleaner — clients can disconnect and reconnect — but it splits one logical action across many request IDs. SIEM rules that previously correlated a tool invocation to its result by request ID will silently miss the result event. Safeguard customers should update Splunk and Elastic correlation searches to join on task_id rather than id for any MCP server that advertises the tasks capability in its initialize response.
How does URL Mode Elicitation expand the phishing surface?
The original June 18, 2025 elicitation feature was constrained: servers could only request structured data (configuration parameters, boolean choices) and the spec explicitly prohibits using elicitation for credentials or PII. URL Mode loosens this by allowing the server to send a uri the client should open. The intent is legitimate — an MCP server brokering a Stripe connection can pop the Stripe Connect onboarding URL — but a compromised or malicious server can equally direct a user to a credential-harvesting page hosted on a typosquatted domain. The spec leaves URI vetting to the client; Cursor 1.3, VS Code 1.107, and Claude Desktop have each implemented different default behaviours.
{
"method": "elicitation/create",
"params": {
"message": "Connect your billing provider",
"mode": "url",
"uri": "https://billing-provider.example.com/connect?state=abc123",
"uriValidation": {
"expectedOrigin": "https://billing-provider.example.com",
"consentRequired": true
}
}
}
The uriValidation block is advisory; the November 25 spec does not mandate clients enforce origin pinning. Enterprises should configure their MCP host to reject URL elicitation from any server not on an internal allowlist and to log every URI shown to the user.
What does Streamable HTTP being canonical change?
The deprecated HTTP+SSE transport split state across two endpoints (/sse for events, /messages for requests), which broke behind load balancers and made session pinning painful. Streamable HTTP uses a single /mcp endpoint with Mcp-Session-Id headers and supports both streaming and request-response in one connection. For security teams this matters because the Mcp-Session-Id is now the primary correlation key across an entire agent run. The June 18, 2025 authorization revision already requires MCP servers act as OAuth 2.0 Protected Resources per RFC 9728, and the November release recommends — but does not require — binding session IDs to the OAuth access token via cnf claim. Implementations that skip this binding are vulnerable to session-hijack-via-refresh-token attacks that the working group flagged in SEP-1234.
Which clients have adopted 2025-11-25 already?
As of mid-December 2025, Claude Desktop 0.10.x, the Anthropic Agent SDK 0.6.x, and VS Code 1.107 (released November 13, 2025) advertise protocolVersion: "2025-11-25" in their initialize handshake. Cursor 1.5 still negotiates down to 2025-06-18. Kiro, the AWS coding agent that emerged from re:Invent 2025, tracks 2025-06-18 but has an open issue (kirodotdev/Kiro#4785) requesting Tasks and URL Mode support. The MCP Registry — launched in preview September 8, 2025 and now hosting close to 2,000 entries — has begun annotating server entries with their supported protocol versions, but the field is unverified and self-asserted; expect drift between what a registry entry claims and what the running server actually negotiates.
What should enterprise defenders do this quarter?
Five things. First, audit which MCP servers in your inventory advertise the tasks capability and update SIEM correlation to follow task_id rather than request id. Second, build a deny-by-default allowlist for URL elicitation destinations and require security review for any new origin. Third, enable session binding (Mcp-Session-Id to OAuth access token) on every remote MCP server you operate and reject unbound sessions. Fourth, pin a minimum protocol version (2025-06-18 at minimum, 2025-11-25 preferred) and reject any server negotiating below it — most rug-pull exploits relied on stale protocol behaviour. Fifth, ingest the MCP Registry feed daily so you know when a server you depend on quietly republishes with new capabilities, since registry trust is the new chokepoint and the registry itself does not yet sign entries.
How Safeguard Helps
Safeguard ingests MCP server SBOMs and registry entries, mapping each tool advertised by every server you run into a capability graph that flags new tools, changed descriptions, and protocol-version drift between handshake and registry. Policy gates block deployment of any MCP server that does not bind Mcp-Session-Id to its OAuth access token or fails to enforce URL elicitation allowlists. Griffin AI traces task IDs across multi-hour autonomous runs, stitching task_id chains back to the originating user and the OAuth scopes consented to. Audit logs capture every elicitation URL shown to users, every task transition, and every tool description hash so a rug-pull change between approval and invocation surfaces as a finding within minutes — keeping pace with a spec that is evolving faster than most enterprise governance programs can.