filesystem: ~1MB JSON-RPC line on stdio causes crash or zombie state

[pzr21]

Describe the bug
The secure-filesystem-server MCP server becomes unavailable after receiving a single ~1 MB JSON-RPC message on stdio.

Unlike truncated JSON or type-confused fields, this payload is syntactically valid JSON-RPC. The failure is consistent with missing per-line size limits and/or unbounded buffering / JSON.parse on huge stdin lines, leading to memory pressure, event-loop blocking, or a broken read loop.

Environment
OS: Linux
Platform: Cursor Desktop
MCP server: @modelcontextprotocol/server-filesystem via npx -y
Reported serverInfo: {"name":"secure-filesystem-server","version":"0.2.0"}

To Reproduce

1. Start the server:

npx -y @modelcontextprotocol/server-filesystem /tmp

2. After a normal session is established (or on a fresh stdio session), write one newline-terminated line whose JSON body is approximately 1 MB. For example:

{
  "jsonrpc": "2.0",
  "method": "echo",
  "params": { "data": "<1,048,576 × 'A'>" },
  "id": 9999
}

(Exact construction: "A" * 1024 * 1024 inside params.data, then json.dumps + \n.)

3. Wait ~200 ms, then send a valid follow-up request.

Expected behavior

• Enforce a maximum stdin line / message size (e.g. 64 KiB–256 KiB, aligned with MCP/host limits) before full buffering or JSON.parse.
• On oversize input: return a JSON-RPC error (or drop the line per transport rules), log a clear stderr line, and continue processing subsequent messages.
• Server process remains alive and responsive to normal initialize / tools/list traffic after the oversized line.

Actual behaviour
Observed failure modes:

• Node process exits (transport closes abruptly), or
• Process still running but does not respond to the post-fuzz liveness probe (“zombie state”).