Mastra Alternative: Security-First Platform vs TypeScript-First Framework
Mastra is a TypeScript agent framework with 24,329 GitHub stars from the Gatsby team — but CVE-2025-61685 (CVSS 6.5) exposes ~/.aws credential files via Cursor IDE prompt injection, RBAC and auth are gated behind a proprietary ee/ directory unavailable under Apache 2.0, and two unmerged PRs leave open-redirect and OAuth CSRF vulnerabilities in the enterprise auth stack unpatched as of May 2026. A mastra alternative built for security-first teams needs vault proxy isolation, not environment variable credentials.
What is Mastra?
Mastra is an open-source TypeScript agent framework from Kepler Software (the team behind Gatsby) with 24,329 GitHub stars, released August 2024, that provides workflow orchestration, tool calling, and RAG primitives for JavaScript and TypeScript developers under a dual license — Apache 2.0 for the core and a proprietary license for the `ee/` enterprise directory containing auth, RBAC, and adapter permission enforcement.
Why Developers Look for a Mastra Alternative
CVE-2025-61685: Credential File Exposure via MCP Docs Server
CVE-2025-61685 (CVSS 6.5, CWE-548, September 24 2025) is a directory traversal vulnerability in @mastra/mcp-docs-server versions ≤0.13.8. Discovered by Liran Tal, the vulnerability allows prompt injection via Cursor IDE to bypass path traversal protections in readMdxContent via findNearestDirectory, reaching filesystem paths outside the intended docs directory.
The practical blast radius is narrow but severe for developer machines: the traversal exposes ~/.aws/credentials, ~/.config/ (containing service account tokens and application credentials), and ~/.cursor/ (containing IDE configuration and any stored tokens). Any developer running an affected @mastra/mcp-docs-server version alongside Cursor IDE is exposed to credential file read by a malicious prompt.
Mastra patched the vulnerability in version 0.17.0. Teams still running ≤0.13.8 in any environment where the MCP docs server is active are exposed to the full credential traversal path.
Dual License: Security Features Behind the ee/ Paywall
Mastra's Apache 2.0 license covers the core framework. The ee/ directory — containing auth integrations, RBAC, and adapter permission enforcement — is proprietary and not available under the open-source license. This creates three concrete gaps:
RBAC is an enterprise add-on. Role-based access control for agent permissions is not available without the enterprise edition. Teams that need to restrict what specific agents can do — a fundamental security primitive for multi-agent deployments — must pay for the ee/ upgrade.
Adapter permissions are gated. Fine-grained control over which adapters (database connections, API integrations, tool access) specific agents can use requires the proprietary tier. In a multi-tenant agent deployment, this is the difference between isolation and shared access.
Auth integrations are proprietary. The ee/ directory includes WorkOS AuthKit integration (@workos/authkit-session) and better-auth OAuth flows. The open-source core has no auth primitives.
Open Unmerged Security PRs in the Enterprise Auth Stack
Two security vulnerabilities in Mastra's enterprise auth dependencies remain open and unmerged as of May 26 2026:
CVE-2026-42565 (CVSS 4.3): Open redirect in @workos/authkit-session. An attacker can craft a redirect URL that bypasses origin validation in the WorkOS AuthKit session handler, enabling phishing via trusted domain redirect chains.
GHSA-wxw3-q3m9-c3jr (CVSS 5.3): OAuth CSRF in better-auth. The better-auth library used in Mastra's enterprise auth stack has an unpatched CSRF vulnerability in OAuth callback handling. Cross-site request forgery against the OAuth callback can allow an attacker to associate their session with a victim's account during the auth flow.
Both vulnerabilities exist in the ee/ enterprise directory — the tier specifically marketed as providing production-grade security. Teams adopting Mastra enterprise edition for its auth and RBAC capabilities are running auth code with unpatched open-redirect and CSRF vulnerabilities.
OpenLegion's Take: Three Structural Security Gaps
Mastra is a well-engineered TypeScript framework with genuine strengths for JS/TS teams. The developer experience is polished, the release cadence is fast (24,329 stars in under two years), and the workflow primitives are expressive. But three structural security gaps compound for teams deploying agents in production:
Credential exposure by design. Mastra agents receive credentials as environment variables — the standard approach for most frameworks, but one that means every agent process holds every API key it needs. CVE-2025-61685 demonstrated that the surrounding toolchain (MCP docs server, Cursor IDE) can reach those credentials through path traversal even when the agent code itself is clean. OpenLegion's vault proxy injects credentials at the network layer: no agent process ever receives a plaintext API key, making ~/.aws-style exfiltration structurally impossible regardless of what traversal exists in the toolchain.
Security as an enterprise upgrade. RBAC, adapter permissions, and auth integrations require the proprietary ee/ tier. A developer deploying open-source Mastra has no built-in mechanism to restrict what a given agent can access — shared credential access across all agents is the default. OpenLegion's vault proxy, per-agent container isolation, and blackboard permissions are core features available to all users, not gated behind a tier.
Unpatched auth vulnerabilities in the paid tier. CVE-2026-42565 and GHSA-wxw3-q3m9-c3jr sit in @workos/authkit-session and better-auth — the auth dependencies inside the enterprise ee/ directory. Teams paying for enterprise-grade security features are running enterprise auth with open-redirect and OAuth CSRF vulnerabilities that remain unmerged. OpenLegion's zero CVE record as of May 2026 reflects an architecture where credentials are never held by agents and auth is replaced by vault proxy isolation, not added as a separate module.
Mastra vs OpenLegion: Side-by-Side
| Dimension | Mastra | OpenLegion |
|---|---|---|
| Language support | TypeScript only | Python (agents); tool interfaces for any language |
| License | Apache 2.0 (core) + proprietary ee/ | BSL 1.1 → Apache 2.0 after 4 years |
| GitHub stars | 24,329 (May 2026) | Pre-release |
| Credential model | Environment variables — agents hold keys | Vault proxy — agents never hold keys |
| Agent isolation | Process-level, no container boundary | Mandatory per-agent Docker containers |
| RBAC | Proprietary ee/ tier only | Per-agent blackboard permissions (all users) |
| CVE record | CVE-2025-61685 (CVSS 6.5) + 2 open PRs | 0 CVEs reported |
| Auth | WorkOS AuthKit / better-auth (ee/ only) | Vault proxy (no auth layer needed) |
| Budget controls | None built-in | Per-agent daily/monthly caps |
| Multi-agent | Workflow orchestration, tool calling | Blackboard + pub/sub + mesh handoff |
| Open issues | 433 (May 26 2026) | Pre-release |
TypeScript-Only: What It Means in Practice
No Python, Go, or Java Support
Mastra is TypeScript-first by design and currently TypeScript-only. There is no Python SDK, no Go client, no JVM integration. For teams with polyglot codebases or existing Python ML/data infrastructure, adopting Mastra means either rewriting agent logic in TypeScript or accepting that agent coordination cannot span languages.
This is not a temporary gap — it is an architectural choice. Mastra optimizes deeply for the TypeScript developer experience: first-class type inference, native async/await patterns, tight VS Code integration. That optimization means no Python support roadmap. For Python-first teams, Mastra is not a viable option regardless of security posture. OpenLegion, LangGraph, CrewAI, and AutoGen all support Python natively.
For JS/TS shops building internal tools or agent workflows where the entire stack is already TypeScript, Mastra's developer experience is genuinely excellent. Native type inference for tool schemas, tight integration with the Node.js ecosystem, and familiar async/await patterns make agent development feel native to the language rather than adapted from Python conventions.
The trade-off is correct for those teams: accept environment variable credentials and ee/-gated RBAC in exchange for TypeScript-first developer experience — provided CVE-2025-61685 is mitigated by upgrading to 0.17.0 and the unmerged auth PRs are acceptable pending upstream fixes.
Security Architecture: Vault Proxy vs Environment Variables
How Mastra Handles Credentials
Mastra agents receive LLM API keys and service credentials through environment variables — the standard Node.js pattern. Credentials exist in process.env and are accessible to any code running in the agent process, including tool callbacks, MCP server handlers, and any dependency in the node_modules tree.
CVE-2025-61685 demonstrated the concrete risk: a directory traversal in @mastra/mcp-docs-server could reach ~/.aws/credentials because the process environment and filesystem were accessible from the same execution context as the vulnerable server. The agent code itself was not exploited — the surrounding toolchain was. But the credentials were reachable.
How OpenLegion Handles Credentials
OpenLegion's vault proxy sits at the network layer between agents and LLM providers. Agent processes issue API calls through a mesh client. The mesh host intercepts these calls, retrieves the appropriate credential from the vault, injects it into the request header, and forwards to the provider. The agent process never receives a credential string.
This does not prevent all vulnerability classes. But it makes credential exfiltration structurally impossible in the CVE-2025-61685 attack pattern: there is no process.env.OPENAI_API_KEY to steal, no ~/.aws/credentials relevant to agent execution, no credential object accessible from agent code. For deeper analysis of credential isolation patterns, see AI agent security: credential isolation and container hardening.
OpenLegion as a Mastra Alternative
What OpenLegion Provides
Multi-agent coordination via blackboard state, pub/sub events, and mesh handoff — analogous to Mastra's workflow orchestration but with explicit security boundaries per agent. Vault proxy credential injection where no agent process holds API keys. Per-agent Docker isolation with non-root execution and no-new-privileges enforcement. Per-agent daily and monthly budget caps. 100+ LLM providers via LiteLLM integration (OpenAI, Anthropic, Google, Cohere, Azure OpenAI, Bedrock). Fleet templates for repeatable agent topology deployment.
For teams evaluating what an AI agent platform provides beyond a framework, the platform comparison covers the full trade-off landscape.
Honest Trade-offs
No TypeScript SDK — Python only. TypeScript teams cannot use OpenLegion without Python agents or a language-bridging layer. No native Node.js ecosystem integration or TypeScript-first developer experience. Smaller community than Mastra's 24,329 stars. No built-in workflow visualization.
OpenLegion is not the right answer for teams whose primary constraint is TypeScript-only development.
Who Should Consider OpenLegion Over Mastra
Python-first or polyglot teams where TypeScript-only support is a blocker, not a feature.
Teams where credential isolation is a hard requirement — security reviews mandating agents cannot hold plaintext API keys, or regulated environments where credential exposure is a compliance violation.
Teams needing RBAC without an enterprise upgrade — multi-agent deployments where restricting what specific agents can access is a baseline requirement, not a paid add-on.
Teams blocked by Mastra's open CVE posture — if CVE-2025-61685 and the two unmerged auth PRs create unacceptable risk, a zero-CVE architecture with no credential-holding agents changes that evaluation.
For teams currently using Mastra who need to migrate away, the Python-first migration path goes through your tool definitions: any @mastra/tool becomes an OpenLegion @skill function, LLM provider configs move from .env files into the vault, and agent topology moves from Mastra workflow definitions into fleet templates. The migration is not trivial but it is well-defined. The credential migration step in particular — moving from process.env.OPENAI_API_KEY to vault-injected credentials — is the single step that eliminates the CVE-2025-61685 attack class structurally.
See also: OpenLegion vs LangGraph — stateful orchestration and CVE history compared, OpenLegion vs CrewAI — role-based agent coordination, and OpenLegion vs AutoGen — multi-agent patterns. For a full landscape, see AI agent frameworks comparison 2026.
Frequently Asked Questions
What is Mastra and who built it?
Mastra is a TypeScript agent framework with 24,329 GitHub stars built by Kepler Software — the team behind Gatsby — since August 2024. It provides workflow orchestration, tool calling, RAG primitives, and multi-agent coordination for TypeScript developers under a dual license: Apache 2.0 for the core and a proprietary license for the ee/ enterprise directory containing auth, RBAC, and adapter permission enforcement.
What is CVE-2025-61685 in Mastra?
CVE-2025-61685 (CVSS 6.5, September 24 2025) is a directory traversal in @mastra/mcp-docs-server ≤0.13.8, discovered by Liran Tal. Prompt injection via Cursor IDE bypasses path traversal protections in readMdxContent via findNearestDirectory, exposing ~/.aws/credentials, ~/.config/, and ~/.cursor/ files. Mastra patched in version 0.17.0; teams running ≤0.13.8 with the MCP docs server active remain exposed.
Does Mastra have RBAC in the free tier?
No. RBAC, adapter permissions, and auth integrations are in Mastra's proprietary ee/ directory, unavailable under the Apache 2.0 open-source license. Multi-agent deployments that need per-agent permission enforcement require the enterprise edition upgrade. OpenLegion provides per-agent blackboard permissions and vault proxy isolation to all users as core platform features, not a paid tier.
What are the unpatched Mastra security issues as of May 2026?
Two security PRs remain open in Mastra's enterprise auth stack: CVE-2026-42565 (CVSS 4.3, open redirect in @workos/authkit-session) and GHSA-wxw3-q3m9-c3jr (CVSS 5.3, OAuth CSRF in better-auth). Both affect the ee/ enterprise directory — the tier marketed as production-ready auth and security. Neither was merged as of May 26 2026.
Can TypeScript developers use OpenLegion?
OpenLegion agents are Python-only. TypeScript teams would need to run Python agents or build TypeScript tooling that calls OpenLegion APIs — there is no native TypeScript SDK. For TypeScript-first teams, Mastra (patched to 0.17.0+), LangGraph, or AutoGen are more natural choices. OpenLegion is the right fit when security isolation requirements outweigh language preferences.
Is Mastra stable enough for production?
Mastra has 24,329 GitHub stars and active development since August 2024, with 433 open issues as of May 26 2026. The rapid release cadence indicates active development and community investment. Teams adopting Mastra for production should pin to stable releases, monitor the issue tracker for regressions, upgrade @mastra/mcp-docs-server to 0.17.0+, and plan for upstream fixes to CVE-2026-42565 and GHSA-wxw3-q3m9-c3jr before relying on enterprise auth features.
Get Started
OpenLegion is free to try. Get started at app.openlegion.ai or read the platform docs. Already evaluating TypeScript frameworks? See OpenLegion vs LangGraph — security architecture and CVE history compared for a Python-native alternative comparison.