Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MCP Go SDK Allows Cross-Site Tool Execution for HTTP Servers without Authorizatrion
Vulnerability Description
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
MCP Go SDK 跨站请求伪造漏洞
Vulnerability Description
MCP Go SDK是Model Context Protocol开源的一个模型上下文协议开发工具包。 MCP Go SDK 1.4.1之前版本存在跨站请求伪造漏洞,该漏洞源于Streamable HTTP传输未验证Origin标头且未要求Content-Type,可能导致任意网站向本地服务器发送请求并触发工具执行。
CVSS Information
N/A
Vulnerability Type
N/A