← nischoy.ai

go-sdk Verification

SMT2 formal verification of security-critical code paths

ALL VERIFIED
Overall
1
Properties Checked
1
Verified
0
Failed

Streamable HTTP POST Must Enforce Origin+JSON Gate

VERIFIED

Function: ServeHTTP · Z3 solved in 0.5ms

CVE-2026-33252 class: browser-reachable MCP HTTP transports handling state-changing POSTs must validate Origin and require application/json before deserializing/dispatching tool calls. This catches sibling CSRF variants where endpoints are unauthenticated or sessionless and accept cross-site form posts without origin/content-type guards.

View SMT2 Constraints 
; benchmark generated from python API
(set-info :status unknown)
(declare-fun streamable_http_csrf_guarded () Int)
(assert
 (<= streamable_http_csrf_guarded 1))
(assert
 (>= streamable_http_csrf_guarded 1))
(assert
 (and (distinct streamable_http_csrf_guarded 1) true))
(check-sat)

Last verified: 2026-03-26 16:03:42 UTC · Solver: Z3 4.16.0