VYPR

Go modules package

github.com/modelcontextprotocol/go-sdk

pkg:golang/github.com/modelcontextprotocol/go-sdk

Vulnerabilities (3)

  • CVE-2026-34742HigApr 2, 2026
    affected < 1.4.0fixed 1.4.0

    The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTT

  • CVE-2026-33252HigMar 24, 2026
    affected < 1.4.1fixed 1.4.1

    The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments with

  • CVE-2026-27896HigFeb 26, 2026
    affected < 1.3.1fixed 1.3.1

    The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method",