GHSA-4gph-2hhr-5mwg: Envoy AI Proxy - MCP Message Smuggling Vulnerability

Envoy AI Gateway was found to be affected by a protocol parser differential vulnerability due to improper implementation of the JSON-RPC 2.0 specification. Such differential causes a MCP message alteration, potentially causing a bypass of security controls in a multi-layered architecture.

According to the JSON RPC Spec used by Model Context Protocol, JSON RPC should be case sensitive https://www.jsonrpc.org/specification

[...]
All member names exchanged between the Client and the Server that are considered for matching of any kind should be considered to be case-sensitive. The terms function, method, and procedure can be assumed to be interchangeable.

The AI Gateway is accepting and processing case-variant fields that compliant MCP implementations correctly ignore. Crucially, Envoy does not just “pass through” the message by acting as a transparent proxy, it alters the traffic, allowing smuggling of unwanted requests.

The following steps represent the incoming message alteration:

  1. Incoming MCP Message:
{
id: 1,
jsonrpc: "2.0",
method: "tools/call",
params: {
name: "backend__greet",
Name: "backend__secretTool",
arguments: {
name: "World!"
},
Arguments: {
name: "Exploit"
}
}
}
  1. Parses the request, picking the non-standard Name field over the authorized name field due to internal case-insentitive parsing by libraries such as modelcontextprotocol/go-sdk/jsonrpc and github.com/bytedance/sonic
  2. Overwrites the authorized “backend__greet” value from the valid name field with the malicious value from the Name field
  3. Normalizes the injected “backend__secretTool” value (from the invalid Name field)
  4. Re-serializes the request into a new, valid MCP JRPC payload ({"name": "backend__secretTool"}) and forwards it upstream

This “smuggling” effect means Envoy actively transforms a request that might have been checked by any prior MCP-compliant implementation into a request that is valid and altered (from the perspective of the upstream backend), effectively introducing protocol modifications that may allow bypassing any prior authorization layer.

References

Code Behaviors & Features

Detect and mitigate GHSA-4gph-2hhr-5mwg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →