When a single McpServer instance with a StreamableHTTPServerTransport is reused across multiple clients, responses can leak across client boundaries. One client may receive data intended for another client. Affects MCP TypeScript SDK v1.10.0-1.25.3. CVSS 7.1.
MCPJam inspector (versions <= 1.4.2) listens on 0.0.0.0 by default with no authentication on its critical endpoint. A crafted HTTP request can install an MCP server and execute arbitrary code on the host. No user interaction required. CVSS 9.8.
Three chained vulnerabilities in Anthropic's own mcp-server-git: CVE-2025-68145 (path validation bypass), CVE-2025-68143 (unrestricted git_init that can turn .ssh into a git repo), and CVE-2025-68144 (argument injection in git_diff). Combined with the Filesystem MCP server, these achieve full remote code execution via malicious .git/config files.
Remote code execution vulnerability in the GitHub Kanban MCP server. Allows arbitrary command execution through the MCP tool interface.
Unpatched SSRF vulnerability in the Microsoft MarkItDown MCP server can compromise AWS EC2 instances via metadata service exploitation. The server fetches arbitrary URLs without validation, enabling access to cloud infrastructure credentials. Microsoft classified this as low-risk despite demonstrated EC2 metadata access.
The Zen MCP server's is_dangerous_path() function uses exact string matching against a blacklist of sensitive paths, allowing trivial bypass via subdirectory traversal (e.g., /etc/shadow/../../../home/user/.ssh/). Enables reading arbitrary files including SSH keys and API credentials. CVSS 6.5-9.8.
Path traversal vulnerability in the filesystem-mcp module allows escaping configured directory boundaries to read or write arbitrary files on the host system.
The gemini-mcp-tool package passes unsanitized user input to execAsync shell commands. Network-exploitable with no authentication or user interaction required. CVSS 9.8. As of disclosure, no patch is available (zero-day).
The is_ip_private() function in mcp-fetch-server versions <= 1.0.2 fails to properly validate private IP addresses, allowing Server-Side Request Forgery (SSRF) attacks that reach internal network services. CVSS 9.3.
Three distinct attack classes exploiting MCP's sampling capability: (1) covert tool invocation to perform hidden file and system operations, (2) conversation hijacking to inject persistent instructions across sessions, and (3) resource theft to drain AI compute quotas for unauthorized workloads.
Academic analysis of 67,057 MCP servers across 6 public registries found that a substantial number can be hijacked due to lack of vetted submission processes. Untrusted servers can exfiltrate data from co-connected trusted servers through the shared agent context.
The Kluster Verify MCP server allows attackers to drain verification credits through unauthorized access to its MCP tools, causing financial impact and denial of service for legitimate verification operations.
A case-sensitivity bug in Cursor AI IDE allows attackers to bypass file protection mechanisms and modify .cursor/mcp.json on case-insensitive filesystems (Windows/macOS), enabling injection of malicious MCP servers and achieving remote code execution.
DNS rebinding vulnerability in the Vet MCP server's SSE transport allows external websites to interact with the locally running MCP server, bypassing browser Same-Origin Policy protections.
Prompt injection attacks against the Amp AI Agent can exfiltrate API keys from the agent's environment. Malicious content processed by the agent extracts credentials and sends them to attacker-controlled endpoints.
Supply chain attack targeting Kilo Code AI Agent users via prompt injection embedded in upstream dependencies. Malicious instructions in package metadata or code comments manipulate the agent's behavior when processing the compromised dependency.
Command injection in the Framelink Figma MCP server's fetch-with-retry.ts module. When the standard fetch fails, the server falls back to executing curl via child_process.exec without sanitizing the URL, enabling arbitrary command execution. Over 600,000 downloads and 10,000+ GitHub stars. CVSS 8.0.
The microsoft_docs_fetch tool in the Microsoft Learn MCP Server lacks URL validation, allowing requests to any host instead of restricting to microsoft.com domains. This enables SSRF attacks through the MCP server.
DNS rebinding attack against Coder's Agent API exposes user chat history to attackers. A malicious website can pivot to the locally running Coder agent and read all conversation data.
DNS rebinding vulnerability in the Neo4j MCP Cypher server (versions 0.2.2-0.3.1) bypasses the browser's Same-Origin Policy, enabling unauthorized tool invocations and complete database takeover of locally running Neo4j instances. CVSS 7.4.
An attacker shares a malicious Google Doc containing embedded prompt injection. When Cursor fetches the document via a Google Docs MCP server, it auto-executes the injected instructions with no user interaction required. This achieves zero-click remote code execution, credential theft, and persistent access.
The thirdweb MCP server enables unauthorized cryptocurrency transactions through its MCP integration. Attackers can exploit the server to initiate transactions from connected wallets without proper authorization.
The Grafana MCP server binds to 0.0.0.0:8000 by default, exposing an unauthenticated SSE interface on all network interfaces. Attackers on the network can create, update, and delete Grafana dashboards remotely without any credentials.
Malicious Jira tickets contain obfuscated prompt injection that tricks Cursor into leaking JWT tokens and credentials through the Jira MCP server. A zero-click attack where simply having the agent process a Jira ticket triggers credential exfiltration.
Cursor IDE (versions <= 1.2.4) trusts previously approved MCP configurations indefinitely without re-approval on modification. An attacker adds a benign MCP config to a shared repository, waits for user approval, then replaces it with a malicious payload. This enables persistent remote code execution. CVSS 7.2-8.8.
A malicious MCP server can inject JavaScript into Cursor's built-in browser. Cursor lacks integrity checks on runtime components loaded through MCP interactions, enabling arbitrary code execution within the IDE's browser context.
All MCP server output vectors—return values, error messages, metadata, resource content, and logging—can carry hidden prompt injection payloads. This demonstrates that no output channel from an MCP server is safe from injection.
Both the official MCP TypeScript SDK (< 1.24.0) and Python SDK (< 1.23.0) lack DNS rebinding protection for localhost-bound SSE and StreamableHTTP servers, allowing malicious websites to pivot to local MCP servers through the browser.
The mcp-remote proxy (versions 0.0.5 through 0.1.15) allows full remote code execution on the client OS when connecting to an untrusted MCP server. A malicious server can craft an authorization_endpoint response that triggers OS command injection. CVSS 9.6. First documented instance of full RCE on the client OS from a remote MCP server.
The mcp-server-kubernetes package (versions <= 2.4.9) contains unsanitized input in execSync calls within the kubectl_scale, kubectl_patch, and explain_resource tools. Shell metacharacters in tool parameters allow arbitrary command execution on the host. CVSS 7.5.
The node-code-sandbox-mcp package (versions <= 1.2.0) has command injection vulnerabilities that bypass Docker sandbox protections via unsanitized execSync calls. Exploitable through indirect prompt injection when generating code. CVSS 7.5.
Attackers inject a message into a Heroku-hosted web service to trick the MCP-connected agent into transferring ownership of the Heroku application to the attacker. Demonstrates prompt injection through application-level data affecting infrastructure management.
The create-mcp-server-stdio package uses unsafe exec() that directly concatenates user input into shell commands, enabling arbitrary command execution on the host system.
Critical RCE vulnerability (CVSS 9.4) in the MCP Inspector developer tool (versions below 0.14.1). Lack of authentication between the Inspector client and proxy enables remote code execution, chainable with DNS rebinding for browser-based exploitation.
A vulnerability in the GitHub MCP integration where attackers plant prompt injection payloads in public repository issues. When an agent (e.g., Claude Desktop) reviews these issues, it can be manipulated to leak data from private repositories accessible via the same GitHub token.
Malicious MCP servers define tools with parameters like 'system_prompt' or 'conversation_history' that instruct the LLM to populate them with sensitive context. This extracts chain-of-thought, previous tool results, system prompts, and conversation data through seemingly normal tool invocations.
Widespread practice across the MCP ecosystem of storing long-term API keys in plaintext on the local filesystem, often with world-readable permissions. Observed in official and third-party MCP servers connecting to services like GitLab, Postgres, and Google Maps.
Attackers use ANSI terminal escape codes to hide malicious instructions in MCP tool descriptions and outputs, rendering them invisible on screen while the LLM processes them normally. Demonstrated against Claude Code with no filtering or sanitization.
Malicious MCP servers inject trigger phrases into tool descriptions that instruct the LLM to forward entire conversation histories when users type common phrases like 'thank you.' The attack enables passive, long-term data collection.
Malicious MCP servers inject prompts through tool descriptions that manipulate AI behavior immediately upon connection—before any user approval or tool invocation occurs. This bypasses all security checkpoints designed to protect users.
A sophisticated two-stage attack combining tool poisoning with remote code execution. The first stage creates a persistence marker; the second stage modifies the tool's docstring to include social engineering content that tricks AI assistants into executing base64-encoded commands for SSH key theft.
MCP's stdio transport enables frictionless local server execution, creating a low-barrier path for users to download and run potentially malicious third-party code on their machines with full local privileges.
MCP tools can silently mutate their own definitions after initial user approval. A tool that appears safe during installation can later change its behavior to perform malicious actions without notifying the user.
When multiple MCP servers are connected to the same agent, a malicious server can override or intercept calls intended for a trusted server by registering tools with the same or similar names.
An attack against the whatsapp-mcp server where a malicious co-installed server steals WhatsApp message history by swapping its tool definition after approval and using UI deception techniques to hide the exfiltrated data.
A peer-reviewed study systematically demonstrating that LLMs with MCP access enable major security exploits including code execution, remote access control, and credential theft. Introduces the MCPSafetyScanner open-source audit tool for assessing MCP server security.
A specialized form of prompt injection where malicious instructions are embedded in tool descriptions—visible to the LLM but hidden from users. Attackers create tools with concealed directives that cause the LLM to perform unauthorized actions such as exfiltrating private data.
Malicious MCP servers trigger repeated consent requests to fatigue users into granting excessive permissions, exploiting human psychology to bypass approval-based security controls.
MCP servers with identical tool names create naming collisions where malicious servers can override legitimate ones. Without namespacing, the behavior depends on client implementation and connection order.
The MCP protocol specification places session identifiers in URLs (e.g., GET /messages/?sessionId=UUID), violating security best practices and exposing session tokens in logs, browser history, and referrer headers.