Overview
Academic analysis of 67,057 MCP servers across 6 public registries found that a substantial number can be hijacked due to lack of vetted submission processes. Untrusted servers can exfiltrate data from co-connected trusted servers through the shared agent context.
Who Is Affected
Conducted by academic security researchers. Affects the entire MCP ecosystem, as registries are the primary discovery mechanism for MCP servers and none of the studied registries implement thorough vetting.
Where It Exists
The vulnerability is in MCP server registries (directories where users discover and install servers). Six major public registries were analyzed and all were found to lack adequate submission vetting, identity verification, and integrity controls.
When It Was Found
Published as arXiv:2510.16558 in 2025. The research represents the first large-scale empirical study of MCP registry security.
How It Works
Attackers submit malicious MCP servers to public registries using minimal or fabricated identity information. The servers pass basic checks (valid manifest, working endpoints) but contain hidden malicious behavior. When users install these servers alongside legitimate ones, the malicious server can exploit shared agent context to intercept or manipulate calls to trusted servers, exfiltrate data, or inject instructions.
Impact
Large-scale supply chain compromise of the MCP ecosystem. Users who discover servers through registries have no reliable way to distinguish malicious from legitimate servers. The shared agent context means a single malicious server can compromise all co-connected trusted servers. At scale, this enables widespread data theft and agent manipulation.
Mitigation
Implement vetted submission processes for MCP registries with identity verification. Deploy code signing and integrity verification for published servers. Use server reputation systems and community reporting. Isolate untrusted servers from trusted ones using separate agent contexts. Audit installed servers regularly against known-good hashes.