Go MCP SDK JSON-RPC Case Sensitivity Vulnerability

A vulnerability exists in the Go MCP SDK in versions prior to 1.3.1, where the standard JSON unmarshaling was case-insensitive. This allowed a malicious MCP peer to send messages with non-standard field casing that the SDK would accept, violating the JSON-RPC 2.0 specification which requires exact field names. The issue could bypass intermediary inspections and create inconsistencies with other MCP SDK implementations that use case-sensitive parsing.

Impact

Exploitation of this vulnerability could lead to improper handling of JSON-RPC messages, allowing non-standard field casing to be accepted without detection. This could bypass proxies or policy layers that rely on exact field name matching and create confusion at security boundaries when interacting with other implementations of the MCP protocol.

Reproduction

The vulnerability can be reproduced by sending JSON-RPC messages with field names that deviate from the specified casing. The Go MCP SDK's previous case-insensitive parsing will accept these messages, creating a mismatch with the JSON-RPC 2.0 requirements.

Remediation

Users are advised to update to version 1.3.1 or later, where this vulnerability has been addressed by implementing case-sensitive JSON unmarshaling.