/usr/lib/go-1.23/bin/go ========================================== CVE-2026-34742 Variant/Bypass Reproduction SSEHandler DNS Rebinding Bypass ========================================== Source Identity Verification: Vulnerable SDK (v1.3.0): 6b75899fd7dbc168b44b9403b7556be077f88fee Patched SDK (v1.4.0): c9317fb5b75328ca2faeaf8ea0e23a53c37de49f ======================================== VARIANT 1: SSEHandler DNS Rebinding Testing against PATCHED version (v1.4.0) ======================================== Building SSE variant test against PATCHED SDK... go: module /data/pruva/runs/56f9c542-afe7-4761-a739-9003d0c95298/go-sdk-patched requires go >= 1.24.0; switching to go1.25.8 Build successful Starting SSE server (patched SDK) on 127.0.0.1:9999... Server PID: 8604 Test 1: POST request to non-existent session (tests Host header processing)... session not found HTTP_STATUS:404 Test 2: DNS Rebinding attack simulation (POST with Host: attacker.com)... session not found HTTP_STATUS:404 Analysis: Normal request (localhost): HTTP 404 Attacker Host header: HTTP 404 !!! BYPASS CONFIRMED !!! SSEHandler treats attacker.com and localhost identically (HTTP 404) No DNS rebinding protection detected in SSE handler! ======================================== VARIANT 2: DisableLocalhostProtection Testing bypass via configuration option ======================================== Building disable protection variant... go: module /data/pruva/runs/56f9c542-afe7-4761-a739-9003d0c95298/go-sdk-patched requires go >= 1.24.0; switching to go1.25.8 Build successful Starting server with protection disabled... Server PID: 8808 Test: DNS rebinding with protection disabled... event: message data: {"jsonrpc":"2.0","id":1,"error":{"code":0,"message":"method \"tools/list\" is invalid during session initialization"}} HTTP_STATUS:200 !!! BYPASS CONFIRMED !!! DisableLocalhostProtection bypassed protection (HTTP 200, not 403) ======================================== VARIANT 3: MCPGODEBUG Environment Var Testing bypass via env variable ======================================== Building env bypass variant... go: module /data/pruva/runs/56f9c542-afe7-4761-a739-9003d0c95298/go-sdk-patched requires go >= 1.24.0; switching to go1.25.8 Build successful Starting server with MCPGODEBUG=disablelocalhostprotection=1... Server PID: 8997 Test: DNS rebinding with MCPGODEBUG bypass... event: message data: {"jsonrpc":"2.0","id":1,"error":{"code":0,"message":"method \"tools/list\" is invalid during session initialization"}} HTTP_STATUS:200 !!! BYPASS CONFIRMED !!! MCPGODEBUG env variable bypassed protection (HTTP 200, not 403) ======================================== VARIANT TEST SUMMARY ======================================== Variant 1: SSEHandler DNS Rebinding Bypass Result: YES Evidence: /data/pruva/runs/56f9c542-afe7-4761-a739-9003d0c95298/logs/vuln_variant/test2_dns_rebinding.log Variant 2: DisableLocalhostProtection Bypass Result: YES Evidence: /data/pruva/runs/56f9c542-afe7-4761-a739-9003d0c95298/logs/vuln_variant/test_disable_bypass.log Variant 3: MCPGODEBUG Environment Bypass Result: YES Evidence: /data/pruva/runs/56f9c542-afe7-4761-a739-9003d0c95298/logs/vuln_variant/test_env_bypass.log CONCLUSION: Bypass(es) confirmed - variant exists See vuln_variant/variant_manifest.json for details