github · python-sdke8e64842781c

Evidence

# Try both npx.cmd and npx.exe on Windows

        for cmd in ["npx.cmd", "npx.exe", "npx"]:

            try:

                subprocess.run([cmd, "--version"], check=True, capture_output=True, shell=True)

                return cmd

            except subprocess.CalledProcessError:

                continue

RemediationAI

The problem is that `subprocess.run()` is called with `shell=True` and a hardcoded command list, but the `shell=True` flag is unnecessary and dangerous when using list-form arguments. Remove the `shell=True` parameter from the `subprocess.run()` call in `src/mcp/cli/cli.py` — change `subprocess.run([cmd, "--version"], check=True, capture_output=True, shell=True)` to `subprocess.run([cmd, "--version"], check=True, capture_output=True)`. This fix eliminates the command injection risk because list-form subprocess calls with `shell=False` (the default) do not interpret shell metacharacters. Verify by running the function and confirming it still detects npx correctly without shell interpretation.

Evidence

"""MCP unified conformance test client.

This client is designed to work with the @modelcontextprotocol/conformance npm package.

It handles all conformance test scenarios via environment variables and CLI arguments.

Contract:

    - MCP_CONFORMANCE_SCENARIO env var -> scenario name

    - MCP_CONFORMANCE_CONTEXT env var -> optional JSON (for client-credentials scenarios)

    - Server URL as last CLI argument (sys.argv[1])

    - Must exit 0 within 30 seconds

Scenarios:

    initialize             

RemediationAI

The problem is that the conformance test client uses a decorator-based `HANDLERS` dictionary that allows runtime re-registration of tool behavior, creating a vector for self-re-registration attacks where handlers can modify their own behavior at runtime. Implement a frozen or immutable handler registry by converting `HANDLERS` from a mutable dict to a `types.MappingProxyType(HANDLERS)` or by removing the `register()` function and using only static decorator registration at module load time. This fix prevents handlers from re-registering themselves with different behavior after initialization. Verify by attempting to call `register()` after the server starts and confirming it raises an `AttributeError` or `TypeError`.

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Replace this README with README.v2.md when v2 is released -->

> [!NOTE]

> **This README documents v1.x of the MCP Pyt

RemediationAI

The problem is that the README documents MCP resource handlers but does not provide path-canonicalization guidance, leaving developers vulnerable to directory traversal attacks when implementing file-serving resources. Add a security best-practices section to README.md that explicitly documents the requirement to canonicalize file paths using `os.path.realpath()` combined with `os.path.commonpath()` or `pathlib.Path.relative_to()` before opening files in resource handlers. This fix prevents attackers from using `../` sequences or absolute paths to escape the intended root directory. Verify by creating a test resource handler that attempts to access `../../etc/passwd` and confirming it raises a `ValueError` or returns an error instead of serving the file.

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Move this content back to README.md when v2 is released -->

> [!IMPORTANT]

> **This documents v2 of the SDK (currentl

RemediationAI

The problem is that README.v2.md documents MCP resource handlers without providing path-canonicalization security guidance, leaving developers vulnerable to directory traversal attacks. Add a security best-practices section to README.v2.md that explicitly documents the requirement to canonicalize file paths using `os.path.realpath()` combined with `os.path.commonpath()` or `pathlib.Path.relative_to()` before opening files in resource handlers. This fix prevents attackers from using `../` sequences or absolute paths to escape the intended root directory. Verify by creating a test resource handler that attempts to access `../../etc/passwd` and confirming it raises a `ValueError` or returns an error instead of serving the file.

Evidence

from mcp.server.mcpserver import MCPServer

from mcp.server.mcpserver.prompts import base

mcp = MCPServer(name="Prompt Example")

@mcp.prompt(title="Code Review")

def review_code(code: str) -> str:

    return f"Please review this code:\n\n{code}"

@mcp.prompt(title="Debug Assistant")

def debug_error(error: str) -> list[base.Message]:

    return [

        base.UserMessage("I'm seeing this error:"),

        base.UserMessage(error),

        base.AssistantMessage("I'll help debug that. What have y

RemediationAI

The problem is that the `review_code()` prompt handler in `examples/snippets/servers/basic_prompt.py` uses an f-string to interpolate the untrusted `code` parameter directly into the prompt text, allowing an attacker to inject arbitrary instructions into the LLM's context. Replace the f-string with a safe wrapper: change `return f"Please review this code:\n\n{code}"` to `return f"Please review this code:\n\n<untrusted>{code}</untrusted>"` or use `json.dumps(code)` to escape special characters. This fix signals to the LLM that the content is untrusted and prevents prompt injection attacks. Verify by passing a prompt like `ignore previous instructions and do X` and confirming the LLM treats it as code to review, not as new instructions.

Evidence

"""MCPServer Echo Server"""

from mcp.server.mcpserver import MCPServer

# Create server

mcp = MCPServer("Echo Server")

@mcp.tool()

def echo_tool(text: str) -> str:

    """Echo the input text"""

    return text

@mcp.resource("echo://static")

def echo_resource() -> str:

    return "Echo!"

@mcp.resource("echo://{text}")

def echo_template(text: str) -> str:

    """Echo the input text"""

    return f"Echo: {text}"

@mcp.prompt("echo")

def echo_prompt(text: str) -> str:

    return text

RemediationAI

The problem is that the `echo.py` example file registers MCP resource and tool handlers but does not demonstrate safe handling of user input in prompts or resource URIs. Add a prompt handler example that wraps untrusted parameters in `<untrusted>...</untrusted>` tags or uses `json.dumps()` to escape them, and document path canonicalization for any file-serving resources. This fix prevents prompt injection and directory traversal attacks in handlers. Verify by adding a prompt handler that accepts user input and confirming that injected instructions are treated as data, not commands.

LLM consensus

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Replace this README with README.v2.md when v2 is released -->

> [!NOTE]

> **This README documents v1.x of the MCP Pyt

RemediationAI

The problem is that the README.md does not provide guidance on safe prompt handling in MCP servers, leaving developers vulnerable to prompt injection attacks when they interpolate user input into prompts. Add a security section to README.md that explicitly documents the requirement to wrap untrusted parameters in `<untrusted>...</untrusted>` tags or use `json.dumps()` when building prompt text in handlers decorated with `@mcp.prompt()`. This fix prevents attackers from injecting arbitrary LLM instructions via prompt parameters. Verify by creating a test prompt handler that accepts user input and confirming that injected instructions are treated as data.

Evidence

"""MCPServer quickstart example.

Run from the repository root:

    uv run examples/snippets/servers/mcpserver_quickstart.py

"""

from mcp.server.mcpserver import MCPServer

# Create an MCP server

mcp = MCPServer("Demo")

# Add an addition tool

@mcp.tool()

def add(a: int, b: int) -> int:

    """Add two numbers"""

    return a + b

# Add a dynamic greeting resource

@mcp.resource("greeting://{name}")

def get_greeting(name: str) -> str:

    """Get a personalized greeting"""

    return f"Hello, {n

RemediationAI

The problem is that the `mcpserver_quickstart.py` example does not demonstrate safe handling of user input in prompts, leaving developers vulnerable to prompt injection attacks when they copy this pattern. Add a prompt handler example that wraps untrusted parameters in `<untrusted>...</untrusted>` tags or uses `json.dumps()` to escape them. This fix prevents prompt injection attacks in handlers. Verify by adding a prompt handler that accepts user input and confirming that injected instructions are treated as data, not commands.

Evidence

from mcp.server.mcpserver import MCPServer

from mcp.types import (

    Completion,

    CompletionArgument,

    CompletionContext,

    PromptReference,

    ResourceTemplateReference,

)

mcp = MCPServer(name="Example")

@mcp.resource("github://repos/{owner}/{repo}")

def github_repo(owner: str, repo: str) -> str:

    """GitHub repository resource."""

    return f"Repository: {owner}/{repo}"

@mcp.prompt(description="Code review prompt")

def review_code(language: str, code: str) -> str:

    """Gen

RemediationAI

The problem is that the `completion.py` example registers resource handlers with URI parameters (`owner`, `repo`) but does not demonstrate safe path canonicalization or prompt injection prevention. Add documentation and example code showing how to canonicalize file paths using `os.path.realpath()` and `os.path.commonpath()`, and wrap any user-controlled text in prompts with `<untrusted>...</untrusted>` tags or `json.dumps()`. This fix prevents directory traversal and prompt injection attacks. Verify by attempting to access `../../../etc/passwd` via the resource URI and confirming it raises an error.

Evidence

# MCP Python SDK

!!! info "You are viewing the in-development v2 documentation"

    For the current stable release, see the [v1.x documentation](https://py.sdk.modelcontextprotocol.io/).

The **Model Context Protocol (MCP)** allows applications to provide context for LLMs in a standardized way, separating the concerns of providing context from the actual LLM interaction.

This Python SDK implements the full MCP specification, making it easy to:

- **Build MCP servers** that expose resources, pr

RemediationAI

The problem is that the docs/index.md does not provide security guidance on safe prompt handling in MCP servers, leaving developers vulnerable to prompt injection attacks. Add a security best-practices section to docs/index.md that explicitly documents the requirement to wrap untrusted parameters in `<untrusted>...</untrusted>` tags or use `json.dumps()` when building prompt text in handlers. This fix prevents attackers from injecting arbitrary LLM instructions via prompt parameters. Verify by creating a test prompt handler that accepts user input and confirming that injected instructions are treated as data.

Evidence

from __future__ import annotations

from datetime import datetime

from typing import Annotated, Any, Final, Generic, Literal, TypeAlias, TypeVar

from pydantic import BaseModel, ConfigDict, Field, FileUrl, TypeAdapter

from pydantic.alias_generators import to_camel

from typing_extensions import NotRequired, TypedDict

from mcp.types.jsonrpc import RequestId

LATEST_PROTOCOL_VERSION = "2025-11-25"

"""The latest version of the Model Context Protocol.

You can find the latest specification at https:

RemediationAI

The problem is that `src/mcp/types/_types.py` is a type definitions file with no HTTP routes, so this finding appears to be a false positive or misclassification. If there are HTTP routes elsewhere that handle `tools/list` without authentication, apply auth middleware at the route or router level: for FastAPI, add `Depends(verify_jwt)` or `Depends(get_current_user)` to the route; for Flask, use `@login_required` or a custom decorator; for Express, use `passport.authenticate()`. This fix prevents anonymous clients from enumerating tools. Verify by making an unauthenticated request to the `tools/list` endpoint and confirming it returns a 401 or 403 error.

Evidence

"""MCP Server Module

This module provides a framework for creating an MCP (Model Context Protocol) server.

It allows you to easily define and handle various types of requests and notifications

using constructor-based handler registration.

Usage:

1. Define handler functions:

   async def my_list_tools(ctx, params):

       return types.ListToolsResult(tools=[...])

   async def my_call_tool(ctx, params):

       return types.CallToolResult(content=[...])

2. Create a Server instance with on_* han

RemediationAI

The problem is that `src/mcp/server/lowlevel/server.py` provides a low-level server framework but does not enforce authentication on HTTP routes by default, leaving tools/list and tools/call endpoints accessible to unauthenticated clients. Add authentication middleware to the server initialization: implement a `require_auth` decorator or middleware that checks for a valid `Authorization` header or API key on every request, and apply it to all route handlers. This fix prevents anonymous clients from enumerating and invoking tools. Verify by making an unauthenticated request to a protected endpoint and confirming it returns a 401 error.

Evidence

"""Run from the repository root:

uv run examples/snippets/servers/streamable_config.py

"""

from mcp.server.mcpserver import MCPServer

mcp = MCPServer("StatelessServer")

# Add a simple tool to demonstrate the server

@mcp.tool()

def greet(name: str = "World") -> str:

    """Greet someone by name."""

    return f"Hello, {name}!"

# Run server with streamable_http transport

# Transport-specific options (stateless_http, json_response) are passed to run()

if __name__ == "__main__":

    # Stateles

RemediationAI

The problem is that `examples/snippets/servers/streamable_config.py` uses `mcp.run()` without specifying a transport or binding address, which may default to binding on all interfaces or localhost without authentication. Change the server startup to explicitly use stdio transport: `mcp.run(transport="stdio")`, or if HTTP is required, add authentication by implementing a token verifier and passing it to the server. This fix prevents DNS-rebinding attacks from malicious web pages. Verify by confirming the server only accepts connections from stdio or requires a valid Authorization header.

Evidence

"""MCPServer quickstart example.

Run from the repository root:

    uv run examples/snippets/servers/mcpserver_quickstart.py

"""

from mcp.server.mcpserver import MCPServer

# Create an MCP server

mcp = MCPServer("Demo")

# Add an addition tool

@mcp.tool()

def add(a: int, b: int) -> int:

    """Add two numbers"""

    return a + b

# Add a dynamic greeting resource

@mcp.resource("greeting://{name}")

def get_greeting(name: str) -> str:

    """Get a personalized greeting"""

    return f"Hello, {n

RemediationAI

The problem is that `examples/snippets/servers/mcpserver_quickstart.py` does not specify a transport or authentication, which may default to binding on localhost without auth, leaving it vulnerable to DNS-rebinding attacks. Change the server startup to use stdio transport: `mcp.run(transport="stdio")`, or if HTTP is required, add authentication by implementing token verification. This fix prevents malicious web pages from invoking tools via DNS rebinding. Verify by confirming the server only accepts connections from stdio or requires a valid Authorization header.

Evidence

#!/usr/bin/env python3

"""MCP Everything Server - Conformance Test Server

Server implementing all MCP features for conformance testing based on Conformance Server Specification.

"""

import asyncio

import base64

import json

import logging

import click

from mcp.server import ServerRequestContext

from mcp.server.mcpserver import Context, MCPServer

from mcp.server.mcpserver.prompts.base import UserMessage

from mcp.server.streamable_http import EventCallback, EventMessage, EventStore

from mcp.type

RemediationAI

The problem is that `examples/servers/everything-server/mcp_everything_server/server.py` binds an HTTP transport to localhost and registers tools without enforcing authentication, leaving it vulnerable to DNS-rebinding attacks. Add authentication to the server by implementing a token verifier and requiring an `Authorization` header on all requests, or switch to stdio transport: `mcp.run(transport="stdio")`. This fix prevents malicious web pages from invoking tools. Verify by making an unauthenticated request to a tool endpoint and confirming it returns a 401 error.

Evidence

"""Run from the repository root:

uv run examples/snippets/servers/oauth_server.py

"""

from pydantic import AnyHttpUrl

from mcp.server.auth.provider import AccessToken, TokenVerifier

from mcp.server.auth.settings import AuthSettings

from mcp.server.mcpserver import MCPServer

class SimpleTokenVerifier(TokenVerifier):

    """Simple token verifier for demonstration."""

    async def verify_token(self, token: str) -> AccessToken | None:

        pass  # This is where you would implement actual to

RemediationAI

The problem is that `examples/snippets/servers/oauth_server.py` demonstrates OAuth token verification but does not validate the `Host` header on HTTP requests, leaving it vulnerable to DNS-rebinding attacks even with authentication. Add host header validation by checking `req.headers.host` against an allow-list of expected hostnames (e.g., `localhost`, `127.0.0.1`) before processing requests, or use a middleware that enforces this check. This fix prevents attackers from using DNS rebinding to bypass same-origin checks. Verify by making a request with a spoofed `Host` header and confirming it is rejected.

LLM consensus

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Move this content back to README.md when v2 is released -->

> [!IMPORTANT]

> **This documents v2 of the SDK (currentl

RemediationAI

The problem is that README.v2.md does not document host header validation requirements for HTTP-bound MCP servers, leaving developers vulnerable to DNS-rebinding attacks. Add a security section to README.v2.md that explicitly documents the requirement to validate the `Host` header against an allow-list of expected hostnames when binding to localhost. This fix prevents DNS-rebinding attacks. Verify by creating a test server and making a request with a spoofed `Host` header, confirming it is rejected.

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Replace this README with README.v2.md when v2 is released -->

> [!NOTE]

> **This README documents v1.x of the MCP Pyt

RemediationAI

The problem is that README.md does not document host header validation requirements for HTTP-bound MCP servers, leaving developers vulnerable to DNS-rebinding attacks. Add a security section to README.md that explicitly documents the requirement to validate the `Host` header against an allow-list of expected hostnames when binding to localhost. This fix prevents DNS-rebinding attacks. Verify by creating a test server and making a request with a spoofed `Host` header, confirming it is rejected.

Evidence

"""MCPServer quickstart example.

Run from the repository root:

    uv run examples/snippets/servers/mcpserver_quickstart.py

"""

from mcp.server.mcpserver import MCPServer

# Create an MCP server

mcp = MCPServer("Demo")

# Add an addition tool

@mcp.tool()

def add(a: int, b: int) -> int:

    """Add two numbers"""

    return a + b

# Add a dynamic greeting resource

@mcp.resource("greeting://{name}")

def get_greeting(name: str) -> str:

    """Get a personalized greeting"""

    return f"Hello, {n

RemediationAI

The problem is that `examples/snippets/servers/mcpserver_quickstart.py` does not validate the `Host` header on HTTP requests, leaving it vulnerable to DNS-rebinding attacks. Add host header validation by checking `req.headers.host` against an allow-list of expected hostnames (e.g., `localhost`, `127.0.0.1`) before processing requests. This fix prevents attackers from using DNS rebinding to bypass same-origin checks. Verify by making a request with a spoofed `Host` header and confirming it is rejected.

Evidence

"""Run from the repository root:

uv run examples/snippets/servers/streamable_config.py

"""

from mcp.server.mcpserver import MCPServer

mcp = MCPServer("StatelessServer")

# Add a simple tool to demonstrate the server

@mcp.tool()

def greet(name: str = "World") -> str:

    """Greet someone by name."""

    return f"Hello, {name}!"

# Run server with streamable_http transport

# Transport-specific options (stateless_http, json_response) are passed to run()

if __name__ == "__main__":

    # Stateles

RemediationAI

The problem is that `examples/snippets/servers/streamable_config.py` does not validate the `Host` header on HTTP requests, leaving it vulnerable to DNS-rebinding attacks. Add host header validation by checking `req.headers.host` against an allow-list of expected hostnames (e.g., `localhost`, `127.0.0.1`) before processing requests. This fix prevents attackers from using DNS rebinding to bypass same-origin checks. Verify by making a request with a spoofed `Host` header and confirming it is rejected.

Evidence

#!/usr/bin/env python3

"""MCP Everything Server - Conformance Test Server

Server implementing all MCP features for conformance testing based on Conformance Server Specification.

"""

import asyncio

import base64

import json

import logging

import click

from mcp.server import ServerRequestContext

from mcp.server.mcpserver import Context, MCPServer

from mcp.server.mcpserver.prompts.base import UserMessage

from mcp.server.streamable_http import EventCallback, EventMessage, EventStore

from mcp.type

RemediationAI

The problem is that `examples/servers/everything-server/mcp_everything_server/server.py` does not validate the `Host` header on HTTP requests, leaving it vulnerable to DNS-rebinding attacks. Add host header validation by checking `req.headers.host` against an allow-list of expected hostnames (e.g., `localhost`, `127.0.0.1`) before processing requests. This fix prevents attackers from using DNS rebinding to bypass same-origin checks. Verify by making a request with a spoofed `Host` header and confirming it is rejected.

Evidence

# Migration Guide: v1 to v2

This guide covers the breaking changes introduced in v2 of the MCP Python SDK and how to update your code.

## Overview

Version 2 of the MCP Python SDK introduces several breaking changes to improve the API, align with the MCP specification, and provide better type safety.

## Breaking Changes

### `streamablehttp_client` removed

The deprecated `streamablehttp_client` function has been removed. Use `streamable_http_client` instead.

**Before (v1):**

```python

from

RemediationAI

The problem is that `docs/migration.md` does not document host header validation requirements when migrating to v2, leaving developers vulnerable to DNS-rebinding attacks. Add a security section to the migration guide that explicitly documents the requirement to validate the `Host` header against an allow-list of expected hostnames when binding to localhost. This fix prevents DNS-rebinding attacks. Verify by creating a test server and making a request with a spoofed `Host` header, confirming it is rejected.

Evidence

# MCP Python SDK

!!! info "You are viewing the in-development v2 documentation"

    For the current stable release, see the [v1.x documentation](https://py.sdk.modelcontextprotocol.io/).

The **Model Context Protocol (MCP)** allows applications to provide context for LLMs in a standardized way, separating the concerns of providing context from the actual LLM interaction.

This Python SDK implements the full MCP specification, making it easy to:

- **Build MCP servers** that expose resources, pr

RemediationAI

The problem is that `docs/index.md` does not document host header validation requirements for HTTP-bound MCP servers, leaving developers vulnerable to DNS-rebinding attacks. Add a security section to docs/index.md that explicitly documents the requirement to validate the `Host` header against an allow-list of expected hostnames when binding to localhost. This fix prevents DNS-rebinding attacks. Verify by creating a test server and making a request with a spoofed `Host` header, confirming it is rejected.

Evidence

# Or for SSE

mcp = MCPServer("Server")

mcp.run(transport="sse", host="0.0.0.0", port=9000, sse_path="/events")

```

**For mounted apps:**

RemediationAI

The problem is that the example in `docs/migration.md` shows binding to `0.0.0.0` (all network interfaces), which exposes the MCP server to the entire network instead of just the local machine. Change `host="0.0.0.0"` to `host="127.0.0.1"` in the example: `mcp.run(transport="sse", host="127.0.0.1", port=9000, sse_path="/events")`. This fix restricts access to localhost only. Verify by confirming the server is not reachable from other machines on the network.

Evidence

mcp.run(transport="streamable-http")

# Or for SSE

mcp = FastMCP("Server", host="0.0.0.0", port=9000, sse_path="/events")

mcp.run(transport="sse")

```

RemediationAI

The problem is that the example in `docs/migration.md` shows binding to `0.0.0.0` (all network interfaces), which exposes the MCP server to the entire network instead of just the local machine. Change `host="0.0.0.0"` to `host="127.0.0.1"` in the example: `FastMCP("Server", host="127.0.0.1", port=9000, sse_path="/events")`. This fix restricts access to localhost only. Verify by confirming the server is not reachable from other machines on the network.

Evidence

message = params.message

    if not url:

        print("Error: No URL provided in elicitation request")

        return types.ElicitResult(action="cancel")

    # Reject dangerous URL schemes before prompting the user

RemediationAI

The problem is that user-controlled `params.message` is printed directly to the terminal in `examples/snippets/clients/url_elicitation_client.py` without sanitizing ANSI escape sequences, allowing attackers to inject cursor-control codes that rewrite output or hide commands. Replace `print("Error: No URL provided in elicitation request")` with a sanitized version using `print(repr(message))` or a library like `bleach` to strip ANSI codes before printing. This fix prevents terminal injection attacks. Verify by passing a message with ANSI escape codes (e.g., `\x1b[2J`) and confirming the terminal is not cleared.

Evidence

async def handle_progress(ctx: ServerRequestContext, params: ProgressNotificationParams) -> None:

    print(f"Progress: {params.progress}/{params.total}")

server = Server("my-server", on_progress=handle_progress)

```

RemediationAI

The problem is that `params.progress` and `params.total` are printed directly to the terminal in `docs/migration.md` without sanitizing ANSI escape sequences, allowing attackers to inject cursor-control codes. Replace `print(f"Progress: {params.progress}/{params.total}")` with `print(f"Progress: {repr(params.progress)}/{repr(params.total)}")` or use a sanitization library. This fix prevents terminal injection attacks. Verify by passing progress values with ANSI escape codes and confirming the terminal is not affected.

Evidence

async def handle_elicitation(context, params: ElicitRequestParams) -> ElicitResult:

    # Display the message to the user

    print(f"Server asks: {params.message}")

    # Collect user input (this is a simplified example)

    response = input("Your response (y/n): ")

RemediationAI

The problem is that `params.message` is printed directly to the terminal in `docs/experimental/tasks-client.md` without sanitizing ANSI escape sequences, allowing attackers to inject cursor-control codes. Replace `print(f"Server asks: {params.message}")` with `print(f"Server asks: {repr(params.message)}")` or use a sanitization library. This fix prevents terminal injection attacks. Verify by passing a message with ANSI escape codes and confirming the terminal is not affected.

Evidence

async def handle_sampling_message(

    context: ClientRequestContext, params: types.CreateMessageRequestParams

) -> types.CreateMessageResult:

    print(f"Sampling request: {params.messages}")

    return types.CreateMessageResult(

        role="assistant",

        content=types.TextContent(

RemediationAI

The problem is that `params.messages` is printed directly to the terminal in `README.v2.md` without sanitizing ANSI escape sequences, allowing attackers to inject cursor-control codes. Replace `print(f"Sampling request: {params.messages}")` with `print(f"Sampling request: {repr(params.messages)}")` or use a sanitization library. This fix prevents terminal injection attacks. Verify by passing messages with ANSI escape codes and confirming the terminal is not affected.

Evidence

async def handle_sampling_message(

    context: RequestContext[ClientSession, None], params: types.CreateMessageRequestParams

) -> types.CreateMessageResult:

    print(f"Sampling request: {params.messages}")

    return types.CreateMessageResult(

        role="assistant",

        content=types.TextContent(

RemediationAI

The problem is that `params.messages` is printed directly to the terminal in `README.md` without sanitizing ANSI escape sequences, allowing attackers to inject cursor-control codes. Replace `print(f"Sampling request: {params.messages}")` with `print(f"Sampling request: {repr(params.messages)}")` or use a sanitization library. This fix prevents terminal injection attacks. Verify by passing messages with ANSI escape codes and confirming the terminal is not affected.

Evidence

async def handle_sampling_message(

    context: ClientRequestContext, params: types.CreateMessageRequestParams

) -> types.CreateMessageResult:

    print(f"Sampling request: {params.messages}")

    return types.CreateMessageResult(

        role="assistant",

        content=types.TextContent(

RemediationAI

The problem is that `params.messages` is printed directly to the terminal in `examples/snippets/clients/stdio_client.py` without sanitizing ANSI escape sequences, allowing attackers to inject cursor-control codes. Replace `print(f"Sampling request: {params.messages}")` with `print(f"Sampling request: {repr(params.messages)}")` or use a sanitization library. This fix prevents terminal injection attacks. Verify by passing messages with ANSI escape codes and confirming the terminal is not affected.

Evidence

async def elicitation_callback(context, params: ElicitRequestParams) -> ElicitResult:

    print(f"\n[Elicitation] {params.message}")

    response = input("Confirm? (y/n): ")

    return ElicitResult(action="accept", content={"confirm": response.lower() == "y"})

RemediationAI

The problem is that `params.message` is printed directly to the terminal in `docs/experimental/tasks-client.md` without sanitizing ANSI escape sequences, allowing attackers to inject cursor-control codes. Replace `print(f"\n[Elicitation] {params.message}")` with `print(f"\n[Elicitation] {repr(params.message)}")` or use a sanitization library. This fix prevents terminal injection attacks. Verify by passing a message with ANSI escape codes and confirming the terminal is not affected.

Evidence

def main() -> None:

    """Main entry point for the conformance client."""

    if len(sys.argv) < 2:

        print(f"Usage: {sys.argv[0]} <server-url>", file=sys.stderr)

        sys.exit(1)

    server_url = sys.argv[1]

RemediationAI

The problem is that `sys.argv[1]` (the server URL) is printed directly to stderr in `.github/actions/conformance/client.py` without sanitizing ANSI escape sequences, allowing attackers to inject cursor-control codes. Replace `print(f"Usage: {sys.argv[0]} <server-url>", file=sys.stderr)` with `print(f"Usage: {repr(sys.argv[0])} <server-url>", file=sys.stderr)` or use a sanitization library. This fix prevents terminal injection attacks. Verify by passing a URL with ANSI escape codes and confirming the terminal is not affected.

Evidence

params: ElicitRequestParams,

) -> ElicitResult:

    """Handle elicitation requests from the server."""

    print(f"\n[Elicitation] Server asks: {params.message}")

    # Simple terminal prompt

    response = input("Your response (y/n): ").strip().lower()

RemediationAI

The problem is that `params.message` is printed directly to the terminal in `examples/clients/simple-task-interactive-client/mcp_simple_task_interactive_client/main.py` without sanitizing ANSI escape sequences, allowing attackers to inject cursor-control codes. Replace `print(f"\n[Elicitation] Server asks: {params.message}")` with `print(f"\n[Elicitation] Server asks: {repr(params.message)}")` or use a sanitization library. This fix prevents terminal injection attacks. Verify by passing a message with ANSI escape codes and confirming the terminal is not affected.

Evidence

return f"Elicitation result: action={result.action}, content={content}"

    except Exception as e:

        return f"Elicitation not supported or error: {str(e)}"

class EnumSchemasTestSchema(BaseModel):

RemediationAI

The problem is that exception details are returned directly to the caller in `examples/servers/everything-server/mcp_everything_server/server.py` via `str(e)`, exposing internal paths and library versions. Replace `return f"Elicitation not supported or error: {str(e)}"` with `return "Elicitation not supported or error: An internal error occurred"` and log the full exception internally using `logging.exception()`. This fix prevents information disclosure. Verify by triggering an exception and confirming the response does not contain stack traces or internal details.

Evidence

return f"LLM response: {model_response}"

    except Exception as e:

        return f"Sampling not supported or error: {str(e)}"

class UserResponse(BaseModel):

RemediationAI

The problem is that exception details are returned directly to the caller in `examples/servers/everything-server/mcp_everything_server/server.py` via `str(e)`, exposing internal paths and library versions. Replace `return f"Sampling not supported or error: {str(e)}"` with `return "Sampling not supported or error: An internal error occurred"` and log the full exception internally using `logging.exception()`. This fix prevents information disclosure. Verify by triggering an exception and confirming the response does not contain stack traces or internal details.

Evidence

return f"User response: action={result.action}, content={content}"

    except Exception as e:

        return f"Elicitation not supported or error: {str(e)}"

class SEP1034DefaultsSchema(BaseModel):

RemediationAI

The problem is that exception details are returned directly to the caller in `examples/servers/everything-server/mcp_everything_server/server.py` via `str(e)`, exposing internal paths and library versions. Replace `return f"Elicitation not supported or error: {str(e)}"` with `return "Elicitation not supported or error: An internal error occurred"` and log the full exception internally using `logging.exception()`. This fix prevents information disclosure. Verify by triggering an exception and confirming the response does not contain stack traces or internal details.

Evidence

return f"Elicitation completed: action={result.action}, content={content}"

    except Exception as e:

        return f"Elicitation not supported or error: {str(e)}"

@mcp.tool()

RemediationAI

The problem is that exception details are returned directly to the caller in `examples/servers/everything-server/mcp_everything_server/server.py` via `str(e)`, exposing internal paths and library versions. Replace `return f"Elicitation not supported or error: {str(e)}"` with `return "Elicitation not supported or error: An internal error occurred"` and log the full exception internally using `logging.exception()`. This fix prevents information disclosure. Verify by triggering an exception and confirming the response does not contain stack traces or internal details.

Evidence

except MCPError:

            raise

        except Exception as e:

            return CallToolResult(content=[TextContent(type="text", text=str(e))], is_error=True)

        if isinstance(result, CallToolResult):

            return result

        if isinstance(result, tuple) and len(result) == 2:

RemediationAI

The problem is that exception details are returned directly to the caller in `src/mcp/server/mcpserver/server.py` via `str(e)`, exposing internal paths and library versions. Replace `return CallToolResult(content=[TextContent(type="text", text=str(e))], is_error=True)` with `return CallToolResult(content=[TextContent(type="text", text="Tool execution failed")], is_error=True)` and log the full exception internally using `logging.exception()`. This fix prevents information disclosure. Verify by triggering an exception and confirming the response does not contain stack traces or internal details.

Evidence

# Try both npx.cmd and npx.exe on Windows

        for cmd in ["npx.cmd", "npx.exe", "npx"]:

            try:

                subprocess.run([cmd, "--version"], check=True, capture_output=True, shell=True)

                return cmd

            except subprocess.CalledProcessError:

                continue

RemediationAI

The problem is that `subprocess.run()` in `src/mcp/cli/cli.py` is called without a timeout parameter, allowing a hung npx process to block indefinitely and exhaust resources. Add a `timeout` parameter: `subprocess.run([cmd, "--version"], check=True, capture_output=True, timeout=5)`. This fix prevents resource exhaustion from hung subprocesses. Verify by creating a test that hangs and confirming it raises `subprocess.TimeoutExpired` after 5 seconds.

Evidence

async def update_importance(user_embedding: list[float], deps: Deps):

    async with deps.pool.acquire() as conn:

        rows = await conn.fetch("SELECT id, importance, access_count, embedding FROM memories")

        for row in rows:

            memory_embedding = row["embedding"]

            similarity = cosine_similarity(user_embedding, memory_embedding)

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

LLM consensus

Evidence

# /// script

# dependencies = ["pydantic-ai-slim[openai]", "asyncpg", "numpy", "pgvector"]

# ///

# uv pip install 'pydantic-ai-slim[openai]' asyncpg numpy pgvector

"""Recursive memory system inspired by the human brain's clustering of memories.

Uses OpenAI's 'text-embedding-3-small' model and pgvector for efficient

similarity search.

"""

import asyncio

import math

import os

from dataclasses import dataclass

from datetime import datetime, timezone

from pathlib import Path

from typing import An

Remediation

Pick one confirmation mechanism and add it to the destructive handler: - make the client confirm via `elicit()` before touching the sink, - accept a `dry_run` / `dryRun` boolean input and branch off the sink when true (return what would change), - require an `idempotency_key` / `idempotencyKey` the caller provides on the first call and echoes back to commit, - require a `confirmation` / `confirm` token as an input field. If the destructive call is genuinely irrelevant to the tool

LLM consensus

Evidence

description="Query the database",

            inputSchema={

                "type": "object",

                "properties": {"query": {"type": "string", "description": "SQL query to execute"}},

                "required": ["query"],

            },

        )

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

# see OAuthClientMetadata; we only support `code`

    response_type: Literal["code"] = Field(..., description="Must be 'code' for authorization code flow")

    code_challenge: str = Field(..., description="PKCE code challenge")

    code_challenge_method: Literal["S256"] = Field("S256", description="PKCE code challenge method, must be S256")

    state: str | None = Field(None, description="Optional state parameter")

    scope: str | None = Field(

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"""Parameters for initializing an sse_client."""

    # The endpoint URL.

    url: str

    # Optional headers to include in requests.

    headers: dict[str, Any] | None = None

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"""Parameters for initializing a streamable_http_client."""

    # The endpoint URL.

    url: str

    # Optional headers to include in requests.

    headers: dict[str, Any] | None = None

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

description="Query the database",

                input_schema={

                    "type": "object",

                    "properties": {"query": {"type": "string", "description": "SQL query to execute"}},

                    "required": ["query"],

                },

            )

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"type": "object",

                    "required": ["url"],

                    "properties": {

                        "url": {

                            "type": "string",

                            "description": "URL to fetch",

                        }

                    },

                },

            )

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class HttpResource(Resource):

    """A resource that reads from an HTTP endpoint."""

    url: str = Field(description="URL to fetch content from")

    mime_type: str = Field(default="application/json", description="MIME type of the resource content")

    async def read(self) -> str | bytes:

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class AuthorizationParams(BaseModel):

    state: str | None

    scopes: list[str] | None

    code_challenge: str

    redirect_uri: AnyUrl

    redirect_uri_provided_explicitly: bool

    resource: str | None = None  # RFC 8707 resource indicator

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

message: str

    """The message to present to the user explaining why the interaction is needed."""

    url: str

    """The URL that the user should navigate to."""

    elicitation_id: str

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class AuthorizationCode(BaseModel):

    code: str

    scopes: list[str]

    expires_at: float

    client_id: str

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

scopes: list[str]

    expires_at: float

    client_id: str

    code_challenge: str

    redirect_uri: AnyUrl

    redirect_uri_provided_explicitly: bool

    resource: str | None = None  # RFC 8707 resource indicator

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

# we use the client_secret param, per https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1

    client_secret: str | None = None

    # See https://datatracker.ietf.org/doc/html/rfc7636#section-4.5

    code_verifier: str = Field(..., description="PKCE code verifier")

    # RFC 8707 resource indicator

    resource: str | None = Field(None, description="Resource indicator for the token")

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class StdioServerParameters(BaseModel):

    command: str

    """The executable to run to start the server."""

    args: list[str] = Field(default_factory=list)

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class AuthorizationCodeRequest(BaseModel):

    # See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3

    grant_type: Literal["authorization_code"]

    code: str = Field(..., description="The authorization code")

    redirect_uri: AnyUrl | None = Field(None, description="Must be the same as redirect URI provided in /authorize")

    client_id: str

    # we use the client_secret param, per https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

description="Query the database",

                input_schema={

                    "type": "object",

                    "properties": {"query": {"type": "string", "description": "SQL query to execute"}},

                    "required": ["query"],

                },

            )

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

{

  "mcpServers": {

    "sqlite": {

      "command": "uvx",

      "args": ["mcp-server-sqlite", "--db-path", "./test.db"]

    },

    "puppeteer": {

      "command": "npx",

      "args": ["-y", "@modelcontextprotocol/server-puppeteer"]

    }

  }

}

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

"""URL Elicitation Client Example.

Demonstrates how clients handle URL elicitation requests from servers.

This is the Python equivalent of TypeScript SDK's elicitationUrlExample.ts,

focused on URL elicitation patterns without OAuth complexity.

Features demonstrated:

1. Client elicitation capability declaration

2. Handling elicitation requests from servers via callback

3. Catching UrlElicitationRequiredError from tool calls

4. Browser interaction with security warnings

5. Interactive CLI for te

Remediation

Tool descriptions should describe what the tool does — not what the model should do with other tools. If a tool's correct operation legitimately requires another tool to be called, document that as a `composition` requirement in human-readable docs and let the calling code orchestrate, not the LLM. If the directive phrasing is coming from external content the tool retrieved (RAG, web fetch), wrap in `<untrusted>` tags and rely on the system prompt to flag tag-bound content as data, not instruct

Evidence

from __future__ import annotations

from datetime import datetime

from typing import Annotated, Any, Final, Generic, Literal, TypeAlias, TypeVar

from pydantic import BaseModel, ConfigDict, Field, FileUrl, TypeAdapter

from pydantic.alias_generators import to_camel

from typing_extensions import NotRequired, TypedDict

from mcp.types.jsonrpc import RequestId

LATEST_PROTOCOL_VERSION = "2025-11-25"

"""The latest version of the Model Context Protocol.

You can find the latest specification at https:

Remediation

Tool descriptions should describe what the tool does — not what the model should do with other tools. If a tool's correct operation legitimately requires another tool to be called, document that as a `composition` requirement in human-readable docs and let the calling code orchestrate, not the LLM. If the directive phrasing is coming from external content the tool retrieved (RAG, web fetch), wrap in `<untrusted>` tags and rely on the system prompt to flag tag-bound content as data, not instruct

Evidence