{
  "variant_id": "CVE-2026-34742-SSEHandler-Bypass",
  "runtime_type": "native_process",
  "environment": {
    "go_version": "1.23 (with go1.25.8 for module requirements)",
    "platform": "linux/arm64",
    "test_date": "2026-04-04"
  },
  "test_targets": [
    {
      "target": "go-sdk-patched",
      "version": "v1.4.0",
      "commit": "c9317fb5b75328ca2faeaf8ea0e23a53c37de49f"
    }
  ],
  "tests_executed": [
    {
      "test_name": "SSEHandler DNS Rebinding Bypass",
      "server_type": "SSEHandler",
      "listen_address": "127.0.0.1:9999",
      "attack_simulation": "Host: attacker.com header with POST to non-existent session",
      "result": "HTTP 404 (same as localhost), no 403 rejection - bypass confirmed"
    },
    {
      "test_name": "DisableLocalhostProtection Bypass",
      "server_type": "StreamableHTTPHandler",
      "server_options": {
        "DisableLocalhostProtection": true
      },
      "listen_address": "127.0.0.1:9998",
      "attack_simulation": "Host: evil.com header with tools/list request",
      "result": "HTTP 200 (not 403) - bypass confirmed"
    },
    {
      "test_name": "MCPGODEBUG Environment Bypass",
      "server_type": "StreamableHTTPHandler",
      "environment": {
        "MCPGODEBUG": "disablelocalhostprotection=1"
      },
      "listen_address": "127.0.0.1:9997",
      "attack_simulation": "Host: attacker-controlled.com header with tools/list request",
      "result": "HTTP 200 (not 403) - bypass confirmed"
    }
  ],
  "evidence_files": {
    "execution_log": "logs/vuln_variant/execution.log",
    "sse_test_log": "logs/vuln_variant/test2_dns_rebinding.log",
    "disable_test_log": "logs/vuln_variant/test_disable_bypass.log",
    "env_test_log": "logs/vuln_variant/test_env_bypass.log",
    "vulnerable_commit": "logs/vuln_variant/vulnerable_commit.txt",
    "patched_commit": "logs/vuln_variant/patched_commit.txt"
  }
}