GHSA-q382-vc8q-7jhj: Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk
The Go SDK recently transitioned to the segmentio/encoding library for JSON parsing in version 1.3.1. While this change addressed both case-insensitivity and ASCII folding issues, the new parser implemented aggressive key matching that treated keys with null Unicode characters appended at the end as equivalent to their base strings.
References
- github.com/advisories/GHSA-q382-vc8q-7jhj
- github.com/modelcontextprotocol/go-sdk
- github.com/modelcontextprotocol/go-sdk/commit/724dd47aa3431b9d4cf9ac2eebbf7b38a629afca
- github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-q382-vc8q-7jhj
- github.com/segmentio/encoding/commit/7d5a25dbc5da13aed3cb047a127e4d0e96f536fb
Code Behaviors & Features
Detect and mitigate GHSA-q382-vc8q-7jhj with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →