Envoy AI Proxy - MCP Message Smuggling Vulnerability — GHSA-4GPH-2HHR-5MWG

Summary

Envoy AI Gateway was found to be affected by a protocol parser differential vulnerability due to improper implementation of the JSON-RPC 2.0 specification. Such differential causes a MCP message alteration, potentially causing a bypass of security controls in a multi-layered architecture. According to the JSON RPC Spec used by Model Context Protocol, JSON RPC should be case sensitive…

Product

go: github.com/envoyproxy/ai-gateway

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

• Read the official source

Related advisories