Skip to content

fix: reject JSON-RPC requests with id: null instead of misclassifying as notification#2168

Closed
giulio-leone wants to merge 4 commits intomodelcontextprotocol:mainfrom
giulio-leone:fix/jsonrpc-null-id-validation
Closed

fix: reject JSON-RPC requests with id: null instead of misclassifying as notification#2168
giulio-leone wants to merge 4 commits intomodelcontextprotocol:mainfrom
giulio-leone:fix/jsonrpc-null-id-validation

Conversation

@giulio-leone
Copy link

@giulio-leone giulio-leone commented Feb 28, 2026

Summary

Reject JSON-RPC messages with "id": null instead of silently misclassifying them as notifications.

Problem

When a JSON-RPC request arrives with "id": null:

  1. JSONRPCRequest correctly rejects it (null is not a valid RequestId)
  2. Pydantic falls through to JSONRPCNotification, which absorbs the extra "id" field via implicit extra='allow'
  3. The streamable HTTP transport sees "not a request" and returns 202
  4. The caller gets no error and no response — a silent failure that's hard to debug

Solution

Set model_config = ConfigDict(extra='forbid') on JSONRPCNotification. This prevents any unrecognised fields (including "id": null) from being silently absorbed, causing a proper validation error.

Tests

Added 6 test cases in tests/issues/test_2057_null_id.py:

  • test_request_rejects_null_id — JSONRPCRequest rejects id: null
  • test_notification_rejects_extra_id_field — JSONRPCNotification rejects extra id
  • test_message_adapter_rejects_null_id — Union adapter rejects id: null
  • test_valid_notification_without_id — Normal notifications still work
  • test_valid_request_with_int_id — Normal int-id requests still work
  • test_valid_request_with_string_id — Normal string-id requests still work

Full test suite: 1128 passed, 2 consecutive clean runs.

Fixes #2057

@giulio-leone
fix: reject JSON-RPC requests with id: null instead of misclassifying…
8055ec7 
… as notification

When a JSON-RPC message arrives with "id": null, it should be
rejected.  Both JSON-RPC 2.0 and the MCP spec restrict request IDs
to strings or integers.

Previously, JSONRPCRequest correctly rejected null IDs, but Pydantic
fell through to JSONRPCNotification which silently absorbed the extra
"id" field via implicit extra='allow'.  The caller got a 202 with
no response and no error.

Set extra='forbid' on JSONRPCNotification so that any unrecognised
field (including "id": null) causes a validation error.

Fixes modelcontextprotocol#2057
@giulio-leone
style: apply ruff format
0035dfc
@giulio-leone giulio-leone force-pushed the fix/jsonrpc-null-id-validation branch from faf4158 to 0035dfc Compare February 28, 2026 14:41
giulio-leone and others added 2 commits February 28, 2026 16:27
@giulio-leone
fix: remove unused JSONRPCMessage import
f433a4b
@giulio-leone
chore: retrigger CI (previous run had cancelled job)
2f74380 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@giulio-leone
Copy link
Author

giulio-leone commented Feb 28, 2026

Closing to reduce noise — focusing on the most impactful PRs. Happy to reopen if there's interest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Requests with "id": null silently misclassified as notifications

1 participant

@giulio-leone