Skip to content

Panic in mcp-add when req.Session is nil (nil pointer dereference) #442

Open
Open
Panic in mcp-add when req.Session is nil (nil pointer dereference)#442
@pdudas76

Description

@pdudas76
pdudas76
opened on Mar 14, 2026

Panic in mcp-add when req.Session is nil (nil pointer dereference)

Summary

The Docker MCP Gateway panics with a nil pointer dereference when the mcp-add tool is invoked to add a server from a custom catalog (e.g. --additional-catalog webhook-mcp). The crash occurs in pkg/gateway/mcpadd.go when req.Session is nil and code calls req.Session.InitializeParams() without a nil check.

Environment

  • Docker MCP Gateway: docker mcp gateway run --additional-catalog webhook-mcp
  • OS: macOS (darwin)
  • Custom catalog: Local YAML catalog for a container-based MCP server (webhook-mcp)

Steps to Reproduce

  1. Create a custom MCP catalog YAML that defines a server (e.g. webhook-mcp) with image or command and add it via --additional-catalog.
  2. Start the gateway: docker mcp gateway run --additional-catalog webhook-mcp
  3. Connect a client (e.g. Cursor, Claude Desktop) to the gateway.
  4. Invoke the mcp-add tool with the server name (e.g. {"name": "webhook-mcp"}).
  5. The gateway panics.

Expected Behavior

The gateway should either:

  • Successfully add the server and return a result, or
  • Return a structured error (e.g. "missing session info") instead of panicking.

Actual Behavior

The gateway panics with a nil pointer dereference:

panic: runtime error: invalid memory address or nil pointer dereference
[stack trace pointing to pkg/gateway/mcpadd.go:222]

Root Cause

In mcpadd.go, req.Session is accessed without a nil check in several places:

  1. Line ~177 (missing secrets/config handling):

    if init := req.Session.InitializeParams(); init != nil && init.ClientInfo != nil {
    clientName = init.ClientInfo.Name
}

    If req.Session is nil, req.Session.InitializeParams() panics.

  2. Line ~294–295 (OAuth handling in getRemoteOAuthServerStatus):

    init := req.Session.InitializeParams()

    Same issue when req.Session is nil.

For some transports or client connection types, req.Session can be nil. The code should guard these accesses.

Suggested Fix

Add nil checks before accessing req.Session:

// Example for the first case (~line 177):
var clientName string
if req.Session != nil {
    if init := req.Session.InitializeParams(); init != nil && init.ClientInfo != nil {
        clientName = init.ClientInfo.Name
    }
}

// Example for OAuth handling (~line 294):
var init *mcp.InitializeParams
if req.Session != nil {
    init = req.Session.InitializeParams()
}
// Then use init with nil checks where needed

Additional Context

  • The custom catalog server (webhook-mcp) is a local container-based MCP server with tools for querying webhook data.
  • The panic occurs regardless of whether the server is remote/OAuth or local; the crash happens before that logic when req.Session is nil.
  • This blocks use of mcp-add for dynamically adding servers from custom catalogs when the session is not populated.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions