DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-Q382-VC8Q-7JHJ: GHSA-Q382-VC8Q-7JHJ: JSON Key Collusion via Null Byte Injection in Model Context Protocol Go SDK

#security #cve #cybersecurity #ghsa

GHSA-Q382-VC8Q-7JHJ: JSON Key Collusion via Null Byte Injection in Model Context Protocol Go SDK

Vulnerability ID: GHSA-Q382-VC8Q-7JHJ
CVSS Score: 8.2
Published: 2026-03-19

The Model Context Protocol (MCP) Go SDK, via its dependency on segmentio/encoding, is vulnerable to JSON Key Collusion. The JSON parser improperly handles null Unicode characters during struct field mapping, allowing attackers to smuggle overriding keys past security filters and manipulate backend application logic.

TL;DR

A high-severity parsing flaw in segmentio/encoding enables JSON key collusion via null byte injection. Attackers can bypass WAFs and overwrite critical struct fields in the MCP Go SDK by appending \u0000 to JSON keys.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-20
  • Attack Vector: Network
  • CVSS Score: 8.2
  • Impact: Integrity Violation / Privilege Escalation
  • Exploit Status: Proof of Concept Available
  • CISA KEV: Not Listed

Affected Systems

  • github.com/modelcontextprotocol/go-sdk < v0.5.4
  • github.com/segmentio/encoding < v0.5.4
  • Go applications deserializing untrusted JSON via segmentio/encoding
  • github.com/modelcontextprotocol/go-sdk: < v0.5.4 (Fixed in: v0.5.4)
  • github.com/segmentio/encoding: < v0.5.4 (Fixed in: v0.5.4)

Code Analysis

Commit: 724dd47

Fix commit for modelcontextprotocol/go-sdk bumping encoding dependency

Commit: 7d5a25d

Fix commit for segmentio/encoding adding length validation

Exploit Details

  • Fix Commit Test Suite: Functional PoC located in internal/json/json_test.go demonstrating null character injection

Mitigation Strategies

  • Update github.com/modelcontextprotocol/go-sdk to v0.5.4
  • Update github.com/segmentio/encoding to v0.5.4
  • Configure WAFs to reject JSON payloads containing \u0000 or duplicate keys
  • Implement strict JSON schema validation at the API gateway level

Remediation Steps:

  1. Identify all internal Go projects importing github.com/modelcontextprotocol/go-sdk or github.com/segmentio/encoding.
  2. Execute go get github.com/modelcontextprotocol/go-sdk@v0.5.4 and go get github.com/segmentio/encoding@v0.5.4 in the project root.
  3. Run go mod tidy to update module definitions.
  4. Recompile the binaries and execute integration tests to verify parser stability.
  5. Deploy the updated binaries to production environments.

References

Read the full report for GHSA-Q382-VC8Q-7JHJ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)