modelcontextprotocol · tonxxd · Apr 17, 2026
@@ -0,0 +1,5 @@
+---
+'@modelcontextprotocol/server': patch
+---
+
+Escape `U+2028` (LINE SEPARATOR) and `U+2029` (PARAGRAPH SEPARATOR) in `WebStandardStreamableHTTPServerTransport` SSE `data:` lines. `JSON.stringify` leaves these codepoints unescaped, but many SSE client parsers treat them as line terminators and truncate the frame mid-JSON, which made tool calls silently hang on the client whenever a response contained either character.
@@ -579,7 +579,10 @@ export class WebStandardStreamableHTTPServerTransport implements Transport {
             if (eventId) {
                 eventData += `id: ${eventId}\n`;
             }
-            eventData += `data: ${JSON.stringify(message)}\n\n`;
+            const safeJson = JSON.stringify(message)
+                .replaceAll('\u2028', String.raw`\u2028`)
+                .replaceAll('\u2029', String.raw`\u2029`);
+            eventData += `data: ${safeJson}\n\n`;
             controller.enqueue(encoder.encode(eventData));
             return true;
         } catch (error) {

@@ -271,6 +271,56 @@ describe('Zod v4', () => {
                 });
             });
 
+            it('should escape U+2028 and U+2029 in SSE data lines', async () => {
+                mcpServer.registerTool(
+                    'emit-line-separators',
+                    {
+                        description: 'Emits text containing U+2028 and U+2029',
+                        inputSchema: z.object({})
+                    },
+                    async (): Promise<CallToolResult> => {
+                        return {
+                            content: [
+                                {
+                                    type: 'text',
+                                    text: 'before\u2028middle\u2029after'
+                                }
+                            ]
+                        };
+                    }
+                );
+
+                sessionId = await initializeServer();
+
+                const toolCallMessage: JSONRPCMessage = {
+                    jsonrpc: '2.0',
+                    method: 'tools/call',
+                    params: { name: 'emit-line-separators', arguments: {} },
+                    id: 'ls-1'
+                };
+
+                const request = createRequest('POST', toolCallMessage, { sessionId });
+                const response = await transport.handleRequest(request);
+                expect(response.status).toBe(200);
+
+                const rawEvent = await readSSEEvent(response);
+
+                expect(rawEvent).not.toContain('\u2028');
+                expect(rawEvent).not.toContain('\u2029');
+                expect(rawEvent).toContain(String.raw`\u2028`);
+                expect(rawEvent).toContain(String.raw`\u2029`);
+
+                // The content still round-trips correctly after JSON.parse.
+                const eventData = parseSSEData(rawEvent);
+                expect(eventData).toMatchObject({
+                    jsonrpc: '2.0',
+                    id: 'ls-1',
+                    result: {
+                        content: [{ type: 'text', text: 'before\u2028middle\u2029after' }]
+                    }
+                });
+            });
+
             it('should reject requests without a valid session ID', async () => {
                 const request = createRequest('POST', TEST_MESSAGES.toolsList);
                 const response = await transport.handleRequest(request);