The vulnerability lies in the _receive_loop method of the Session class in src/mcp/shared/session.py. The commit 29c69e6a47d0104d0afcea6ac35e7ab02fde809a clearly shows that the code responsible for validating incoming JSON-RPC requests was not handling exceptions. Specifically, the self._receive_request_type.model_validate(...) call could raise an exception if the request was malformed. The patch wraps this and the subsequent request processing logic in a try...except Exception block. This change prevents the server from crashing by catching the validation error and instead sends a proper JSON-RPC error response to the client, thus mitigating the Denial of Service vulnerability. The new test file, tests/issues/test_malformed_input.py, explicitly tests for this scenario by sending a malformed request and asserting that the server responds with an error instead of crashing. Therefore, the _receive_loop function is the exact location of the vulnerability.