Prototype-named tools no longer bypass schemas allowlist
@ai-sdk/mcp@1.0.49
Patch Changes
-
3e8d9ba: fix(mcp): lock first sse endpoint received via event
-
4fa7354: fix(mcp): prevent prototype-named tools from bypassing the
schemasallowlistWhen using
client.tools({ schemas })to expose only an explicitly allowed subset of an MCP server's tools, the allowlist check used theinoperator, which also matches inheritedObject.prototypeproperties. A server-advertised tool namedconstructor,toString,__proto__, etc. would pass the check even though the developer never defined it inschemas, and was then exposed to the model and executable. The check now usesObject.hasOwn, so only explicitly defined tools are returned. -
Updated dependencies [bfa5864]
-
Updated dependencies [f42aa79]
- @ai-sdk/provider-utils@4.0.29
Fetched June 12, 2026

