Overview

Three distinct attack classes exploiting MCP's sampling capability: (1) covert tool invocation to perform hidden file and system operations, (2) conversation hijacking to inject persistent instructions across sessions, and (3) resource theft to drain AI compute quotas for unauthorized workloads.

Who Is Affected

Researched by Palo Alto Networks Unit 42. Affects any MCP deployment that enables the sampling feature, which allows servers to request LLM completions through the client.

Where It Exists

The vulnerabilities exist in the MCP sampling specification and its client implementations. Sampling allows MCP servers to request that the client perform LLM inference, creating a bidirectional trust issue.

When It Was Found

Published July 2025 as part of Unit 42's ongoing MCP security research. Expands on their earlier consent fatigue research with new protocol-level attack vectors.

How It Works

Attack 1 (Covert Tool Invocation): Sampling requests include hidden instructions that cause the LLM to invoke other tools without user visibility, performing file operations or network requests silently. Attack 2 (Conversation Hijacking): Sampling responses inject persistent instructions into the conversation context that alter all future agent behavior. Attack 3 (Resource Theft): Malicious servers use sampling to consume the user's AI compute quota for cryptocurrency mining prompts, data processing, or other unauthorized workloads.

Impact

Covert tool invocation leads to silent data exfiltration and system modification. Conversation hijacking provides persistent control over the agent. Resource theft causes financial damage through compute quota exhaustion. Combined, these attacks demonstrate that the sampling feature creates a powerful bidirectional attack surface.

References

• Unit 42: MCP Attack Vectors