You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/specification/draft/basic/security_best_practices.mdx
+6-7Lines changed: 6 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -199,14 +199,13 @@ When you have multiple stateful HTTP servers that handle MCP requests, the follo
199
199
1. The client connects to **Server A** and receives a session ID.
200
200
1. The attacker obtains an existing session ID and sends a malicious event to **Server B** with said session ID.
201
201
202
+
- When a server supports [redelivery/resumable streams](https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#resumability-and-redelivery), deliberately terminating the request before receiving the response could lead to it being resumed by the original client via the GET request for server sent events.
203
+
- If a particular server initiates server sent events as a consequence of a tool call such as a `notifications/tools/list_changed`, where it is possible to affect the tools that are offered by the server, a client could end up with tools that they were not aware were enabled.
202
204
203
-
- When a server supports [redelivery/resumable streams](https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#resumability-and-redelivery), deliberately terminating the request before receiving the response could lead to it being resumed by the original client via the GET request for server sent events.
204
-
- If a particular server initiates server sent events as a consequence of a tool call such as a `notifications/tools/list_changed`, where it is possible to affect the tools that are offered by the server, a client could end up with tools that they were not aware were enabled.
205
-
206
-
3.**Server B** enqueues the event (associated with session ID) into a shared queue.
207
-
4.**Server A** polls the queue for events using the session ID and retrieves the malicious payload.
208
-
5.**Server A** sends the malicious payload to the client as an asynchronous or resumed response.
209
-
6. The client receives and acts on the malicious payload, leading to potential compromise.
205
+
1.**Server B** enqueues the event (associated with session ID) into a shared queue.
206
+
1.**Server A** polls the queue for events using the session ID and retrieves the malicious payload.
207
+
1.**Server A** sends the malicious payload to the client as an asynchronous or resumed response.
208
+
1. The client receives and acts on the malicious payload, leading to potential compromise.
0 commit comments