Overview
All MCP server output vectors—return values, error messages, metadata, resource content, and logging—can carry hidden prompt injection payloads. This demonstrates that no output channel from an MCP server is safe from injection.
Who Is Affected
Discovered by CyberArk threat research team. This affects the entire MCP ecosystem because every interaction between server and client involves output that can be poisoned.
Where It Exists
The vulnerability is systemic across all MCP communication channels. Every response field that an MCP server can populate (tool results, error descriptions, resource metadata, log messages) is processed by the LLM and can influence its behavior.
When It Was Found
Published July 2025 by CyberArk. This research generalizes individual injection findings into a comprehensive analysis of all output vectors.
How It Works
CyberArk demonstrated injection through five channels: (1) Tool return values containing hidden instructions, (2) Error messages with embedded prompts that execute when the LLM processes the error, (3) Resource metadata with injected content, (4) Resource content bodies with hidden text, and (5) Log and notification channels. Each channel was confirmed to successfully inject instructions into the LLM context.
Impact
Since every output channel is exploitable, defense cannot focus on a single vector. A compromised or malicious server can inject instructions through whichever channel is most likely to evade detection. This undermines output sanitization approaches that only clean specific fields, demonstrating the need for comprehensive content security.
Mitigation
Implement comprehensive output sanitization across ALL MCP response fields, not just tool results. Deploy prompt injection detection on every piece of data flowing from server to client. Use structured output schemas that separate data from instructions. Consider output-isolation architectures where server responses are processed in a sandboxed context.