Skip to content

server: add maxBodyBytes guard for streamable HTTP #1498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
TheodorNEngoy wants to merge 1 commit into from
Closed

server: add maxBodyBytes guard for streamable HTTP #1498

TheodorNEngoy wants to merge 1 commit into from
+105 −1

Conversation

@TheodorNEngoy
Copy link

@TheodorNEngoy TheodorNEngoy commented Feb 7, 2026

WebStandardStreamableHTTPServerTransport currently parses POST bodies via await req.json(), which buffers the full request body in memory.

This PR adds a maxBodyBytes option (default: 1_000_000) and enforces it when parsing JSON bodies. Oversized payloads return 413.

  • Adds maxBodyBytes to WebStandardStreamableHTTPServerTransportOptions (negative disables)
  • Enforces the limit via streaming read + byte count (fast Content-Length reject when present)
  • Returns 413 with JSON error response (-32_000, "Payload too large")
  • Adds a focused test

Note: if callers pass parsedBody to handleRequest, they must enforce limits in their framework/body parser.

@TheodorNEngoy TheodorNEngoy requested a review from a team as a code owner February 7, 2026 23:09
@changeset-bot
Copy link

changeset-bot bot commented Feb 7, 2026

🦋 Changeset detected

Latest commit: 7ec9f3e

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages
Name Type
@modelcontextprotocol/server Patch
@modelcontextprotocol/express Patch
@modelcontextprotocol/hono Patch
@modelcontextprotocol/node Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 7, 2026

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1498

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1498

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1498

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1498

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1498

commit: 7ec9f3e

@TheodorNEngoy
Copy link
Author

TheodorNEngoy commented Feb 7, 2026

Closing as a duplicate of #1496 (same maxBodyBytes guard for streamable HTTP). Consolidating to keep review surface small; #1496 now also documents parsedBody semantics.

@TheodorNEngoy TheodorNEngoy deleted the codex/streamable-body-limit branch February 7, 2026 23:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TheodorNEngoy