New Case-Sensitivity Bypass Vulnerability Disclosed

The vulnerability stems from Go's standard `encoding/json` library, which performs case-insensitive matching by default when unmarshaling JSON into Go structs. This behavior deviates from the stricter, case-sensitive JSON-RPC 2.0 specification, creating a discrepancy between how a security appliance like a Web Application Firewall (WAF) and the Go application itself interpret incoming data. An attacker can send a payload with altered casing, like "Method" instead of "method", to bypass WAF rules that are looking for the exact, lowercase field name. This type of flaw is categorized as an "Interpretation Conflict" (CWE-436) and "Improper Handling of Case Sensitivity" (CWE-178). Such parser differential attacks exploit the subtle differences in how two systems in a processing chain handle the same data. This has been a known issue in Go's JSON parser, with multiple GitHub issues filed over the years discussing the potential for non-deterministic behavior and the deviation from developer expectations. The fix, implemented in version 1.3.1 of the MCP Go SDK, involves replacing the standard unmarshaler. A new JSON decoder is configured with `dec.DontMatchCaseInsensitiveStructFields()` to enforce strict, case-sensitive matching, closing the interpretation gap that allowed the bypass. This incident is not isolated to this specific SDK; Go's default parser behaviors have been flagged as security "footguns." Issues like case-insensitive key matching, default acceptance of unknown JSON fields, and allowing duplicate keys (where the last value is used) can all lead to vulnerabilities, especially in multi-language environments where another service's parser behaves differently. For instance, a Java-based service might take the first instance of a duplicated key, while Go takes the last, leading to potential authentication bypasses. For engineers, this highlights the critical need to avoid assumptions about library defaults. When handling data formats, especially for security-sensitive functions, it is crucial to use the strictest possible parsing settings. Explicitly disabling case-insensitivity and disallowing unknown fields, as seen in the patch for CVE-2026-27896, are essential defensive programming practices. Similar case-normalization flaws have been exploited in other contexts, such as bypassing access controls by requesting URLs with different capitalization (e.g., `/admin` vs. `/ADMIN`). These vulnerabilities underscore a fundamental security principle: input validation and parsing logic should be consistent and strict across all components of an application stack, from the edge proxy to the backend service.