From cc706857177b20e9f46386016addb94b7bde529a Mon Sep 17 00:00:00 2001
From: kai-agent-free <kai@kdn.agency>
Date: Sat, 28 Mar 2026 12:42:34 +0000
Subject: [PATCH 1/2] fix: reject request IDs exceeding Number.MAX_SAFE_INTEGER

Adds a validation refinement to RequestIdSchema to reject numeric
request IDs outside the safe integer range. Previously, a single
request with an ID > MAX_SAFE_INTEGER (e.g. 9007199254740992) would
cause the server to hang indefinitely with no error response, as
JSON.parse silently loses precision on large integers.

The fix validates that numeric IDs fall within Number.MIN_SAFE_INTEGER
to Number.MAX_SAFE_INTEGER, causing the Zod parse to fail and return
a proper JSON-RPC error response instead of silently hanging.

Fixes #1765
---
 packages/core/src/types/schemas.ts | 10 +++++++++-
 packages/core/test/types.test.ts   | 21 +++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/packages/core/src/types/schemas.ts b/packages/core/src/types/schemas.ts
index 309b6ade2..cca62be1e 100644
--- a/packages/core/src/types/schemas.ts
+++ b/packages/core/src/types/schemas.ts
@@ -119,7 +119,15 @@ export const ResultSchema = z.looseObject({
 /**
  * A uniquely identifying ID for a request in JSON-RPC.
  */
-export const RequestIdSchema = z.union([z.string(), z.number().int()]);
+export const RequestIdSchema = z.union([
+    z.string(),
+    z
+        .number()
+        .int()
+        .refine(n => n >= Number.MIN_SAFE_INTEGER && n <= Number.MAX_SAFE_INTEGER, {
+            message: 'Request ID must be within Number.MAX_SAFE_INTEGER range'
+        })
+]);
 
 /**
  * A request that expects a response.
diff --git a/packages/core/test/types.test.ts b/packages/core/test/types.test.ts
index 429b3ecdd..9222838a3 100644
--- a/packages/core/test/types.test.ts
+++ b/packages/core/test/types.test.ts
@@ -1,4 +1,5 @@
 import {
+    RequestIdSchema,
     CallToolResultSchema,
     ClientCapabilitiesSchema,
     CompleteRequestSchema,
@@ -984,3 +985,23 @@ describe('Types', () => {
         });
     });
 });
+
+describe('RequestIdSchema', () => {
+    test('should accept string IDs', () => {
+        expect(RequestIdSchema.parse('abc-123')).toBe('abc-123');
+    });
+
+    test('should accept safe integer IDs', () => {
+        expect(RequestIdSchema.parse(1)).toBe(1);
+        expect(RequestIdSchema.parse(Number.MAX_SAFE_INTEGER)).toBe(Number.MAX_SAFE_INTEGER);
+    });
+
+    test('should reject IDs exceeding MAX_SAFE_INTEGER', () => {
+        expect(() => RequestIdSchema.parse(Number.MAX_SAFE_INTEGER + 1)).toThrow();
+        expect(() => RequestIdSchema.parse(9007199254740992)).toThrow();
+    });
+
+    test('should reject non-integer numeric IDs', () => {
+        expect(() => RequestIdSchema.parse(1.5)).toThrow();
+    });
+});

From 3d65ed9750775ea1fd1a97c03e38da842e42b00f Mon Sep 17 00:00:00 2001
From: kai-agent-free <kai@kdn.agency>
Date: Sat, 28 Mar 2026 21:39:18 +0000
Subject: [PATCH 2/2] chore: add changeset

---
 .changeset/fix-unsafe-request-id.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/fix-unsafe-request-id.md

diff --git a/.changeset/fix-unsafe-request-id.md b/.changeset/fix-unsafe-request-id.md
new file mode 100644
index 000000000..adb9b163a
--- /dev/null
+++ b/.changeset/fix-unsafe-request-id.md
@@ -0,0 +1,5 @@
+---
+"@modelcontextprotocol/core": patch
+---
+
+fix: reject request IDs exceeding Number.MAX_SAFE_INTEGER