Currently server.py:307 returns str(e) for any exception raised in a tool handler, so internal error details (DB connection strings, file paths, stack-trace fragments) reach the client verbatim via CallToolResult.content. Since that content is typically fed to an LLM, an attacker who can influence tool inputs (e.g., via prompt injection) can trigger errors and have the model read back internals.
The C# SDK already sanitizes by default: McpException messages pass through, any other exception becomes a generic "An error occurred invoking '{name}'" (McpServerImpl.cs:659-661). typescript-sdk is adding the same in modelcontextprotocol/typescript-sdk#1830 via a ToolError opt-in class.
Python already has a ToolError class in mcpserver/exceptions.py, but tools/base.py:120 wraps every exception in it and server.py:302-307 sends str(e) regardless, so it's not currently an opt-in gate.
Proposed: only pass through messages from explicitly-raised ToolError (or MCPError); other exceptions become a generic message. Would be a behavior change, so probably v2-scoped.
Relevant files: src/mcp/server/mcpserver/server.py:302-307, src/mcp/server/mcpserver/tools/base.py:119-120, src/mcp/server/mcpserver/exceptions.py
Currently
server.py:307returnsstr(e)for any exception raised in a tool handler, so internal error details (DB connection strings, file paths, stack-trace fragments) reach the client verbatim viaCallToolResult.content. Since that content is typically fed to an LLM, an attacker who can influence tool inputs (e.g., via prompt injection) can trigger errors and have the model read back internals.The C# SDK already sanitizes by default:
McpExceptionmessages pass through, any other exception becomes a generic "An error occurred invoking '{name}'" (McpServerImpl.cs:659-661). typescript-sdk is adding the same in modelcontextprotocol/typescript-sdk#1830 via aToolErroropt-in class.Python already has a
ToolErrorclass inmcpserver/exceptions.py, buttools/base.py:120wraps every exception in it andserver.py:302-307sendsstr(e)regardless, so it's not currently an opt-in gate.Proposed: only pass through messages from explicitly-raised
ToolError(orMCPError); other exceptions become a generic message. Would be a behavior change, so probably v2-scoped.Relevant files:
src/mcp/server/mcpserver/server.py:302-307,src/mcp/server/mcpserver/tools/base.py:119-120,src/mcp/server/mcpserver/exceptions.py