Commit f761018
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
fix(deps): update module github.com/modelcontextprotocol/go-sdk to v1.4.1 [security] (#4347)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/modelcontextprotocol/go-sdk](https://redirect.github.com/modelcontextprotocol/go-sdk)
| `v1.4.0` → `v1.4.1` |
|
|
---
> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/370) for more information.
### GitHub Vulnerability Alerts
####
[GHSA-q382-vc8q-7jhj](https://redirect.github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-q382-vc8q-7jhj)
The Go SDK recently transitioned to the `segmentio/encoding` library for
JSON parsing in version 1.3.1. While this change addressed both
case-insensitivity and ASCII folding issues, the new parser implemented
aggressive key matching that treated keys with `null` Unicode characters
appended at the end as equivalent to their base strings.
#### Impact
When combined with duplicate keys, the described behavior leads to a
"last key wins" resolution that could override the intended MCP message.
This had the potential for:
- **Bypassing intermediary inspection:** Proxies or policy layers that
matched on exact field names may have failed to detect or filter these
messages.
- **Cross-implementation inconsistency:** Other MCP SDKs (TypeScript,
Python) use case-sensitive parsing and would reject the same messages,
creating potential security-boundary confusion.
#### Fix:
The `segmentio/encoding` package was patched with a fix in
segmentio/encoding@7d5a25d
and a new version of the package was released (`v0.5.4`). The SDK
switched to the patched version of the dependency in 724dd47aa. Users
are advised to update to v1.4.1 to resolve this issue.
#### Credits:
Thank you to Francesco Lacerenza (Doyensec) for reporting this issue.
---
### Release Notes
<details>
<summary>modelcontextprotocol/go-sdk
(github.com/modelcontextprotocol/go-sdk)</summary>
###
[`v1.4.1`](https://redirect.github.com/modelcontextprotocol/go-sdk/releases/tag/v1.4.1)
[Compare
Source](https://redirect.github.com/modelcontextprotocol/go-sdk/compare/v1.4.0...v1.4.1)
***This release is a patch release for v1.4.0.***
It contains cherry-picks for several security improvements. Security
advisories will follow.
### Fixes
#### Update of the `segmentio/encoding` module version
The JSON parsing library that was adopted to avoid attacks taking
advantage of the Go's standard parser being case insensitive turned out
to contain an issue itself. We have submitted the fix upstream and this
release updates the dependency to the patched version.
#### Cross-origin requests protection
We have added additional protection against cross origin requests. From
now on, we verify that `Content-Type` for JSON-RPC `POST` requests is
set to `application/json` and use the new `http.CrossOriginProtection`
functionality to verify the origin of the request. Usage of this
functionality required **increasing the required Go version to 1.25**,
which is in line with our Go version policy of supporting two newest Go
versions. The behavior can be customized by passing a configured
`http.CrossOriginProtection` object to `StreamableHTTPOptions`.
Since this is a behavior change, we introduced a compatibility parameter
`disablecrossoriginprotection` that will allow to temporarily disable
it. It will be removed in `v1.6.0` version of the SDK. See
[here](https://redirect.github.com/modelcontextprotocol/go-sdk/blob/main/docs/mcpgodebug.md)
for more details about behavior changes and a history of compatibility
parameters across SDK versions.
#### Allowing customization of `http.Client` for client-side OAuth
We have introduced an optional `http.Client` parameter to
`AuthorizationCodeHandlerConfig`. This allows customization of the
transport, for example implementing environment specific protection
against [Server-Side Request
Forgery](https://modelcontextprotocol.io/docs/tutorials/security/security_best_practices#server-side-request-forgery-ssrf).
### Pull requests
- internal: fix Unicode zero character handling by
[@​maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#​841](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/841)
- auth: allow passing custom http.Client to AuthorizationCodeHandler by
[@​maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#​840](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/840)
- mcp: verify 'Origin' and 'Content-Type' headers by
[@​maciej-kisiel](https://redirect.github.com/maciej-kisiel) in
[#​842](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/842)
**Full Changelog**:
<modelcontextprotocol/go-sdk@v1.4.0...v1.4.1>
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone Europe/London,
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/overmindtech/workspace).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZ29sYW5nIl19-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
GitOrigin-RevId: 25faf3a4f8dc8c406e86a6df26dfc1813eb427951 parent 2d9f65b commit f761018
2 files changed
Lines changed: 6 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
135 | 135 | | |
136 | 136 | | |
137 | 137 | | |
138 | | - | |
| 138 | + | |
139 | 139 | | |
140 | 140 | | |
141 | 141 | | |
| |||
445 | 445 | | |
446 | 446 | | |
447 | 447 | | |
448 | | - | |
| 448 | + | |
449 | 449 | | |
450 | 450 | | |
451 | 451 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
852 | 852 | | |
853 | 853 | | |
854 | 854 | | |
855 | | - | |
856 | | - | |
| 855 | + | |
| 856 | + | |
857 | 857 | | |
858 | 858 | | |
859 | 859 | | |
| |||
1038 | 1038 | | |
1039 | 1039 | | |
1040 | 1040 | | |
1041 | | - | |
1042 | | - | |
| 1041 | + | |
| 1042 | + | |
1043 | 1043 | | |
1044 | 1044 | | |
1045 | 1045 | | |
| |||
0 commit comments