Do not return and expose internal errors to the client as this is a security risk #1429
Description
Describe the bug
Tools automatically catch, wrap and return errors as JSON-RPC responses to the consuming client.
This has the potential to reveal sensitive internal information of a back end system to the MCP Client and MCP Host.
Even if an error is harmless at the first glance, internal errors can reveal system behavior to an attacker and act as a measurement for attackers actions impact.
To Reproduce
server.registerTool(
"example-tool",
{
description:
`Example tool that returns an potentially sensitive error to the client`,
},
async ({}): Promise<CallToolResult> => {
throw new Error("Internal services not reachable fake error");
return {
content: [
{
type: "text",
text: "This part is unreachable"
}
],
};
}
);This automatically wraps into an JSON-RPC error which is returned to the client:
{
content: [
0: {
type: "text",
text: "Internal services not reachable fake error "
}
],
isError: true
}Expected behavior
Do not expose internal errors as responses. Error hard with "Unhandled exception".
Provide error helpers, so the developer can catch and wrap errors and return them to the client in a curated manner.