Skip to content

fix: reject duplicate initialize requests#962

Open
he-yufeng wants to merge 2 commits into
modelcontextprotocol:mainfrom
he-yufeng:fix/reject-duplicate-initialize
Open

fix: reject duplicate initialize requests#962
he-yufeng wants to merge 2 commits into
modelcontextprotocol:mainfrom
he-yufeng:fix/reject-duplicate-initialize

Conversation

@he-yufeng
Copy link
Copy Markdown

@he-yufeng he-yufeng commented May 15, 2026

Summary

  • reject a second initialize request on an already initialized server session
  • keep the original ServerSession.InitializeParams() instead of replacing it with later client parameters
  • add a raw JSON-RPC regression test for the duplicate-initialize path

Fixes #961.

To verify

  • go test ./mcp -run TestServerRejectsDuplicateInitialize -count=1
  • go test ./mcp -count=1
  • go test ./...

@he-yufeng he-yufeng force-pushed the fix/reject-duplicate-initialize branch from 603d55c to f62a410 Compare May 15, 2026 20:39
guglielmo-san
guglielmo-san reviewed May 18, 2026
View reviewed changes
Comment thread mcp/server.go Outdated
})
if duplicate {
ss.server.opts.Logger.Error("duplicate initialize request")
return nil, fmt.Errorf("%w: duplicate %q received", jsonrpc2.ErrInvalidRequest, methodInitialize)
Copy link
Copy Markdown
Contributor

@guglielmo-san guglielmo-san May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

// ErrInvalidRequest is used when the JSON sent is not a valid Request object.

This does not seem the right error for this case. We might align it to the 'duplicate initialized notification' case error

@he-yufeng he-yufeng force-pushed the fix/reject-duplicate-initialize branch from f62a410 to 64d6f95 Compare May 18, 2026 17:59
@he-yufeng
Copy link
Copy Markdown
Author

he-yufeng commented May 18, 2026
edited
Loading

Thanks, that makes sense. I pushed 64d6f95 to align the duplicate initialize request with the duplicate notifications/initialized handling by returning the duplicate-message error directly instead of wrapping it as ErrInvalidRequest.

Validation run locally:

  • go test ./mcp -run TestServerRejectsDuplicateInitialize -count=1
  • go test ./mcp -count=1
  • go test ./... -count=1
  • git diff --check origin/main..HEAD

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@guglielmo-san guglielmo-san guglielmo-san left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Duplicate initialize with changed parameters can overwrite stored session initialization parameters

2 participants

@he-yufeng @guglielmo-san