fix: avoid exposing server exception details to clients

Send generic "Internal Server Error" message to clients instead of
exposing exception types, values, and tracebacks. This prevents
leaking sensitive implementation details while still logging full
exception information server-side for debugging.

Author: felixweinberger

src/mcp/server/lowlevel/server.py

@@ -613,11 +613,7 @@ async def _handle_message(
                         raise message
                     await session.send_log_message(
                         level="error",
-                        data={
-                            "exception_type": type(message).__name__,
-                            "exception_value": str(message),
-                            "exception_traceback": None,
-                        },
+                        data="Internal Server Error",
                         logger="mcp.server.exception_handler",
                     )
 

tests/server/test_lowlevel_exception_handling.py

@@ -49,9 +49,7 @@ async def test_exception_handling_with_raise_exceptions_false(exception_class: t
     call_args = session.send_log_message.call_args
 
     assert call_args.kwargs["level"] == "error"
-    assert call_args.kwargs["data"]["exception_type"] == exception_class.__name__
-    assert call_args.kwargs["data"]["exception_value"] == str(test_exception)
-    assert call_args.kwargs["data"]["exception_traceback"] is None
+    assert call_args.kwargs["data"] == "Internal Server Error"
     assert call_args.kwargs["logger"] == "mcp.server.exception_handler"