Anaximand3R

**Name of the Vulnerable Software and Affected Versions** Go MCP SDK versions prior to 1.3.1 **Description** The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing. Go's standard library performs case-insensitive matching of JSON keys to struct field tags, meaning a field tagged json:"method" would also match "Method", "METHOD", etc. It also folds Unicode characters to their ASCII equivalents, such as 'ſ' (U+017F) to 's' and 'K' (U+212A) to 'k'. This behavior violates the JSON-RPC 2.0 specification, which requires exact field names. A malicious MCP peer could send protocol messages with non-standard field casing that the SDK would silently accept, potentially bypassing intermediary inspection and causing cross-implementation inconsistencies. This issue affects the parsing of JSON-RPC and MCP protocol messages. **Recommendations** Update the Go MCP SDK to version 1.3.1 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** github.com/crewjam/saml versions prior to 0.4.14 **Description** The package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting (XSS) in the IdP context during the redirection at the end of a SAML SSO Flow. Consequently, an attacker may perform any authenticated action as the victim once the victim’s browser loaded the SAML IdP initiated SSO link for the malicious service provider. Note that SP registration is commonly an unrestricted operation in IdPs, hence not requiring particular permissions or publicly accessible to ease the IdP interoperability. **Recommendations** For versions prior to 0.4.14, update to version 0.4.14 to fix the issue. As a temporary workaround, consider performing external validation of URLs provided in SAML metadata, or restrict the ability for end-users to upload arbitrary metadata.