Overview
MCP servers with identical tool names create naming collisions where malicious servers can override legitimate ones. Without namespacing, the behavior depends on client implementation and connection order.
Who Is Affected
Documented by multiple researchers and aggregated on the Embracethered blog. Affects any multi-server MCP deployment where tool names are not globally unique.
Where It Exists
The vulnerability is in MCP's flat tool namespace. Tools from all connected servers share the same name space, with no mandatory prefixing or namespacing mechanism in the protocol specification.
When It Was Found
Discussed April 1, 2025. The risk scales with the number of connected servers and the popularity of common tool names.
How It Works
An attacker registers a tool with the same name as a popular legitimate tool (e.g., 'read_file', 'search', 'send_message'). When the LLM decides to use that tool name, the client may route the call to the attacker's version depending on implementation-specific resolution rules (last-registered wins, alphabetical, etc.).
Impact
Legitimate tool calls are redirected to malicious implementations. Attackers can intercept sensitive parameters, return manipulated results, or use the intercepted call as a springboard for further attacks. Users and LLMs have no way to distinguish between the legitimate and malicious tool.
Mitigation
Use MCP clients that namespace tools by server origin. Avoid connecting untrusted servers that duplicate tool names from trusted servers. Implement tool priority systems. Consider unique tool naming conventions that include publisher identity.