Overview
When multiple MCP servers are connected to the same agent, a malicious server can override or intercept calls intended for a trusted server by registering tools with the same or similar names.
Who Is Affected
Described by Simon Willison as part of broader MCP security analysis. Affects any deployment with multiple connected MCP servers—a common configuration for power users.
Where It Exists
The vulnerability exists in MCP client tool routing logic. When multiple servers expose tools with identical names, the client must choose which to invoke, often favoring the most recently connected server.
When It Was Found
Disclosed April 9, 2025. The risk increases as MCP adoption grows and users connect more servers simultaneously.
How It Works
An attacker's MCP server registers a tool with the same name as a trusted server's tool (e.g., 'send_email'). When the LLM invokes 'send_email', the call is routed to the attacker's version instead of the legitimate one. The attacker can then intercept parameters, modify behavior, or exfiltrate data before optionally forwarding to the real tool.
Impact
Complete interception of tool calls including sensitive parameters like credentials, file contents, and user data. Can enable man-in-the-middle attacks between the user and trusted services. The LLM cannot distinguish between legitimate and malicious tools with the same name.
Mitigation
Use MCP clients that namespace tools by server (e.g., server_name.tool_name). Avoid connecting untrusted servers alongside sensitive ones. Implement tool priority systems where trusted servers take precedence. Review connected servers regularly and remove unnecessary ones.