A specialized form of prompt injection where malicious instructions are tucked away in the tool descriptions themselves—visible to the LLM but not normally displayed to users. Attackers can create tools with hidden instructions that cause the LLM to perform unauthorized actions, such as exfiltrating private data from the user's system. For example, a seemingly innocent calculator tool could include hidden instructions telling the LLM to read sensitive files and pass their contents as a parameter, which is then sent to an attacker's server before returning the calculation result.

MCP tools can mutate their own definitions after installation. Users approve a safe-looking tool initially, but later the tool quietly changes its behavior to perform malicious actions such as rerouting API keys to an attacker. Most MCP clients do not notify users about changes to tool descriptions after initial approval, making this particularly dangerous. Even client implementations that show users initial tool descriptions often fail to alert them if those descriptions change.

With multiple servers connected to the same agent, a malicious server can override or intercept calls made to a trusted one. This is especially problematic because LLMs will trust anything that can send them convincing tokens, making them extremely vulnerable to confused deputy attacks. This vulnerability allows attackers to effectively control legitimate tools by intercepting or redirecting calls intended for them, potentially leading to unauthorized actions or data access.

An attack against the whatsapp-mcp server that connects personal WhatsApp accounts to MCP-enabled LLM systems. A malicious server can define an innocent-looking tool that later swaps its definition to steal message history and send it to the attacker. The attack uses techniques like adding large amounts of whitespace before the exfiltrated data to hide it from the user interface (as many interfaces hide horizontal scrollbars by default), making it less likely users will notice what's happening.

The MCP protocol specification mandates session identifiers in URLs (using patterns like GET /messages/?sessionId=UUID), which fundamentally violates security best practices. This design exposes sensitive identifiers in logs, browser history, and referrer headers, allowing potential session hijacking by attackers. This vulnerability is built into the protocol design itself rather than being an implementation error, making it harder to address without protocol modifications.

Malicious MCP servers can inject prompts through tool descriptions to manipulate AI model behavior without being explicitly invoked, effectively bypassing security measures designed to protect users. This vulnerability exploits the fact that MCP clients update the model's context with tool descriptions immediately upon connection, before any user approval or tool invocation occurs. The attack allows malicious servers to execute attacks before any security checkpoints are in place, undermining MCP's core security promises. For example, a malicious server could include instructions in its tool description to prefix all shell commands with dangerous operations.

MCP's stdio transport enables frictionless local server use without running an HTTP server, creating a low-friction path for less technical users to download and run potentially malicious third-party code on their local machines. Many MCP integrations instruct users to download and run code to use them, increasing the risk of exploitation, especially since it's common for server implementations to effectively "exec" input code. This changes the traditional security model where users must explicitly approve code execution.

Malicious MCP servers can trigger repeated consent requests, causing users to become fatigued and unknowingly grant excessive permissions. This social engineering tactic exploits human behavior patterns to bypass security measures that rely on user confirmation. The attack takes advantage of users' tendency to approve prompts without careful review when they appear frequently, gradually increasing the permissions granted to malicious servers.

MCP servers with identical tool names can lead to naming collisions where malicious servers override legitimate ones. When multiple servers expose tools with the same name, the behavior depends on client implementation, often favoring the most recently connected server. This vulnerability can be exploited by malicious servers to hijack legitimate tool functionality, redirecting actions intended for trusted tools to malicious endpoints.

Many examples of MCP software store long-term API keys for third-party services in plaintext on the local filesystem, often with insecure, world-readable permissions. This practice is widespread in the MCP ecosystem, observed in multiple tools from official servers connecting to GitLab, Postgres, and Google Maps, to third-party connectors. This vulnerability leaves users one file disclosure away from having their API keys stolen and their third-party service data compromised. Local malware, arbitrary file read vulnerabilities, and automated cloud backups all provide easy pathways for attackers to extract these credentials without needing complex exploits.

Attackers can use ANSI terminal escape codes to hide malicious instructions in MCP tool descriptions and outputs, making them invisible on the screen while still being processed by the LLM. This technique leverages the line jumping vulnerability to further deceive even security-aware users. In tests with Claude Code (Anthropic's command-line interface), researchers found no filtering or sanitization for tool descriptions containing ANSI escape sequences. This allows attackers to launch supply chain attacks by injecting hidden suggestions to download packages from malicious servers, planting backdoors in dependencies, or manipulating development environments without users noticing.

Malicious MCP servers can exploit the Model Context Protocol to covertly exfiltrate entire conversation histories by injecting trigger phrases into tool descriptions. Unlike direct command execution, which can be crude and easily detectable, this stealth approach allows for targeted data theft with minimal chance of detection. The attack works by inserting tool descriptions that instruct the model to forward the conversation history when the user types a common phrase like "thank you." Since these histories often contain sensitive information like API keys, credentials, intellectual property, and proprietary business strategies, this vulnerability allows attackers to passively collect valuable data over extended periods without triggering suspicion.