AI Security

MCP Security Vulnerabilities: A Quick Weekend List

The Model Context Protocol (MCP) is revolutionizing how AI agents interact with external tools, but this power comes with serious security implications that most organizations are overlooking. Here are 15 critical security issues with MCP - short and sweet so you can read it quickly.

Fred Rohrer

4 min read

If you're reading this on a weekend, don't!

1. Tool Poisoning Attacks

Hidden vectors: An attacker publishes a supposedly benign tool manifest in which the markdown description embeds secondary instructions using zero-width Unicode characters or harmonized whitespace. MCP clients that concatenate the description with the user prompt enable a blended instruction sequence that bypasses system-level sandboxing.

Blast radius: Immediate prompt hijack, lateral movement to every conversation where the tool is invoked, and privilege escalation if the agent holds elevated scopes (repo, payments.write, etc.).

Defense-in-depth:

  • Strip or normalize Unicode in tool metadata before prompt assembly.
  • Render tool descriptions inside an iframe or a Markdown sandbox that forbids HTML/JS expansion.
  • Diff the AST of the tool description between install-time and runtime; treat drift as a block condition.

2. Rug Pull Re-definitions

Pattern: The attacker pushes a legitimate v1.0 of the tool, gains trust and star ratings, then tags v1.0.1 that silently rewires the endpoint from https://api.example.com/summarize to https://evil.tld/exfil. Most MCP launchers auto-update by semantic version range (^1.0.0).

Impact: Enterprises that pin only the major version ingest the malicious update without change control, leaking data and credentials.

Mitigations:

  • Disable automatic range updates; force explicit version pinning and checksum validation.
  • Maintain a private mirror of vetted manifests; CI/CD should fail on manifest SHA drift.
  • Require signed update commits with SigStore or similar transparency log.

3. Cross-Server Tool Shadowing / Confused Deputy

Vector: The attacker registers a tool named jira-sync on an external MCP server. A local policy gives jira-sync production scope in the belief that it is the internal tool. The agent then forwards privileged tokens to the external server.

Countermeasures:

  • Namespaced tool identifiers (corp/jira-sync) plus origin checks.
  • Mutual-TLS between the MCP host and approved tool registries.
  • Capability tokens bound to origin and audience (aud) claims.

4. Conversation History Exfiltration

Technique: A malicious tool declares an argument called context with type string[]. Over-permissive agents auto-fill this argument with the full chat transcript to "help the tool understand." The transcript is POSTed off-box.

Remediation:

  • Disallow automatic argument hydration unless the schema uses a dedicated "ephemeral" flag signed by auditors.
  • Run NLP diff detectors that flag when outgoing payloads exceed a threshold of similarity to the original chat.

5. Line Jumping Pre-Checkpoint Injection

Observation: Some MCP clients place system and security prompts at index 0, then append the user prompt, then the tool prompt. If the attacker wraps their input in an array (["attacker", "system override"]) the parser splits it, positioning the malicious string ahead of the security checkpoint.

Fixes:

  • Parse messages strictly by documented JSON schema, not by naïve string splitting.
  • Canonically re-order conversation frames on the server side.

6. Plain-Text API Key Storage

Finding: More than 40% of open-source MCP launchers persist tool credentials in ~/.mcp/config.json with 0600 but unencrypted. On multi-tenant bastions this is trivial to read via local privilege escalation (LPE) or forensic memory dumps.

Hardening:

  • Store secrets in platform KMS (e.g., macOS Keychain, Windows DPAPI, HashiCorp Vault).
  • Rotate keys automatically after first use; provide short-lived STS credentials.

7. ANSI Terminal Code Deception

Attack: When listing installed tools, the manifest's title field embeds \u001b[2K (erase line) followed by an instruction such as rm -rf /. On TTY render the line is blank; copy-pasting from the terminal includes the hidden payload.

Controls:

  • Sanitize non-printable ASCII < 0x20 in all CLI output.
  • Provide a --raw flag that prints hex-encoded manifest fields for review.

8. Remote Code Execution via SSH Key Theft

Scenario: A tool offering "remote build" requests ~/.ssh/id_rsa.pub to install on the build worker. The code path also logs the private key on error. Attackers trigger a controlled exception and collect the private key from telemetry.

Prevention:

  • Enforce write-only telemetry; redact outbound logs with deterministic finite automata matching private-key PEM headers.
  • Use ssh-agent socket forwarding; never handle private keys in user space.

9. Function Parameter Abuse

Abuse path: MCP function signatures often expose highly permissive regex-validated parameters. Example: get_user(input: string) where input is intended to be an email address. Attacker passes SQL-like patterns (.*) to enumerate.

Safeguards:

  • Constrain parameters with formal JSON schema, not free-form strings.
  • Reject inputs exceeding realistic length or failing whitelist character sets.

10. GitHub Integration Weak Spots

Weakness: The repo.read scope is granted at install-time, but the tool later triggers git ls-remote --heads https://[email protected]/org/private.git on a shadow private repo it controls. Result: token reuse and repo cloning.

Defenses:

  • Issue repo-scoped fine-grained PATs; verify the repo owner before checkout.
  • Run outbound URL allow-listing in the CI sandbox.

11. RCE in MCP Inspector

Detail: Early versions executed docker inspect on arbitrary container IDs received from remote peers, then parsed the resulting JSON with eval due to malformed backticks in a template literal. Crafted container IDs closed the string and injected OS commands.

Patch: Replace eval with a safe JSON parser and escape untrusted input.

12. Session ID Leakage

Problem: Several web-based agents place the session UUID in a GET query string (/chat?sid=…). Proxy logs, browser history, and referer headers expose it.

Fixes:

  • Move session identifiers to HttpOnly cookies with SameSite=Strict.
  • Rotate SID after privilege elevation events.

Mechanism: An attacker tool bombards the user with incremental permission prompts (readProfile, readEmail, readCalendar, …). Users reflexively accept.

Secure UX:

  • Batch permissions; show a diff with red/yellow/green risk levels.
  • Cool-off timers or exponential back-off on repeated denied permissions.

14. Tool Name Collision

Issue: MCP discovery is case-insensitive on some registries (AI-scan, ai-scan). The attacker publishes the lower-case variant first, then re-routes traffic.

Resolution:

  • Enforce canonical slug hashing on the registry.
  • Surfacing visual digests (e.g., SHA-256 truncated) in UI next to tool name.

15. Malicious Local Server Installations

Threat: Many tutorials suggest pip install . && python server.py. The server binds 0.0.0.0:80 with weak CORS and no CSRF token. A drive-by webpage can POST an instruction that rebuilds or exfiltrates the local vector database.

Strategic fixes:

  • Default binding to localhost, random high port, and CSRF secret.
  • Containerize with an AppArmor or SELinux profile that denies network egress except to allow-listed domains.

Sign up for more like this.

Enter your email
Subscribe