fix(server): reject initialize with mismatched MCP-Protocol-Version header#2111
Open
dparikh79 wants to merge 1 commit into
Open
Conversation
…eader When the initial JSON-RPC `initialize` request carries an MCP-Protocol-Version header that disagrees with params.protocolVersion in the body, the Streamable HTTP server silently accepts the request and lets the body win, leaving the client with a session under a version it did not ask for. Add a header-vs-body equality check at the start of the initialize branch in WebStandardStreamableHTTPServerTransport. Header absent stays a soft case (existing behavior). Header present must match body or the request gets a 400. Tests cover both mismatch directions, the matching case, and header-absent (existing behavior preserved). Fixes modelcontextprotocol#2108
🦋 Changeset detectedLatest commit: bd6677f The changes in this PR will be included in the next version bump. This PR includes changesets to release 5 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
@modelcontextprotocol/client
@modelcontextprotocol/server
@modelcontextprotocol/express
@modelcontextprotocol/fastify
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #2108.
When the initial JSON-RPC
initializerequest to the Streamable HTTP server carries anMCP-Protocol-Versionheader that disagrees withinitialize.params.protocolVersionin the body, the server currently accepts the request, lets the body win, and the resulting session uses a version the client never asked for in its HTTP header.This PR adds an equality check at the top of the initialize branch in
WebStandardStreamableHTTPServerTransport.handleRequest. If the header is present and does not match the body'sprotocolVersion, the request is rejected with400 Bad Requestand JSON-RPC error code-32600. Header absent stays a soft case (existing behavior, since the spec allows the header to be omitted on initialize).Why this shape
validateProtocolVersionafter-init path).validateProtocolVersionis left alone. Its JSDoc already documents that initialize defers to version negotiation; that remains true for the header-absent case. Adding the equality check next to the rest of the init-branch validation keeps the surface area minimal and the change reviewable in one block.2025-11-25spec does not explicitly mandate this consistency check, so the change is implementation-level hardening. SEP-2575 is heading toward a related requirement for_meta["io.modelcontextprotocol/protocolVersion"], and this lays groundwork without front-running it.Test plan
New tests in
packages/server/test/server/streamableHttp.test.tsunder the existingHTTPServerTransport - Protocol Version Validationblock:-32600) when header is older than body (header=2025-03-26,body=2025-11-25).-32600) when header is newer than body (header=2025-11-25,body=2025-06-18).pnpm --filter @modelcontextprotocol/server typecheckclean.pnpm --filter @modelcontextprotocol/server lintclean.pnpm --filter @modelcontextprotocol/server test69 / 69 passed (4 new + 65 pre-existing instreamableHttp.test.ts).pnpm test:allgreen across all packages (integration suite 423 / 423).Branch + changeset
Targeted at
mainper CONTRIBUTING ("v2 in development"). Changeset added at.changeset/fix-init-protocol-version-mismatch.mdas a@modelcontextprotocol/serverpatch.Happy to open a parallel PR against
v1.x(where the equivalent code lives insrc/server/webStandardStreamableHttp.ts, same shape) if a maintainer wants it backported.AI Assistance Disclosure
Implementation and tests drafted with Claude assistance. I reviewed every line, ran the suites locally, and am the human contributor accountable for this PR.