This write-up highlights how MCP’s fast adoption and distributed design pose serious security concerns, including real-world data leaks. It explains how MCP enhances AI agent functionality by linking them to external tools—but also requires careful handling of secrets and identities. The piece urges organizations to understand these risks before deploying MCP in production.
MCP Security Digest — May 2025
MCP Security is a top concern for anyone building Agentic AI systems. The Model Context Protocol (MCP) connects tools, agents, and actions. It plays a role similar to TCP/IP—but for autonomous workflows. If MCP is compromised, the entire agent stack is at risk. Attackers can inject prompts, hijack tools, and reroute agent behavior.
In this digest, we explain why MCP Security matters now—and how to defend against the growing wave of real-world threats.
Exploits, Vulnerabilities & Threat Modeling
Vulnerability Taxonomy of MCP – arXiv
This paper reveals critical security risks in MCP-based agent workflows, including remote code execution, credential theft, and unauthorized system access. The authors introduce MCPSafetyScanner, a tool that uses agents to identify adversarial behaviors and generate security reports for MCP servers. The work highlights the urgent need for proactive auditing before deployment.
Prompt Injection in MCP – Simon Willison
This article outlines prompt injection risks and related vulnerabilities in MCP-based tools, such as tool shadowing and data exfiltration. The author warns about mixing untrusted instructions with powerful tools and highlights common implementation mistakes. The piece reflects growing concerns as more developers experiment with MCP.
Conversation Leak via MCP – Trail of Bits
This post demonstrates a stealthy attack using malicious tool descriptions to trigger conversation exfiltration based on user input. The technique allows attackers to collect entire chat histories when certain phrases (like “thank you”) appear naturally. It highlights the subtle but serious risks of trusting external MCP servers.
The S in MCP Stands for Security – Elena Cross
This article introduces MCP and warns that it’s not secure by default. Connecting agents to arbitrary MCP servers can expose secrets, systems, and infrastructure if security controls aren’t applied. The author breaks down real-world risks and why developers need to be cautious.
Everything Wrong with MCP – Shrivu
The author, a fan of MCP, shares a critical review of its vulnerabilities and architectural challenges. While the protocol enables powerful integrations, it also introduces new risks that many developers may not fully understand. The post offers a reality check for those adopting MCP too quickly.
MCP: A Security Nightmare – Medium
This piece explores MCP as a promising integration layer for AI agents, but emphasizes that it creates a wide attack surface if used without safeguards. The author explains how MCP simply transports messages and doesn’t enforce access control by itself. The proposed Agent Security Framework helps address these gaps and enforce trust boundaries.
MCP Security Part 2 – OGWilliam Blog
This article breaks down tangible security threats that affect every phase of an MCP server’s lifecycle — from creation to deployment. It highlights critical risks like name collisions, installer spoofing, and code injection that attackers can exploit if proper controls aren’t in place. The piece emphasizes that ignoring these threats could have severe consequences for any organization building MCP-enabled systems.
MCP is a Security – HackerNoon
While MCP is often described as the “USB-C of AI agents” for its elegant integration model, this article urges caution. The author explains that MCP is just a communication layer — and without built-in safeguards, it introduces hidden risks in how models interact with tools. The piece calls on developers to think beyond ease-of-integration and proactively address what could go wrong.
Security Risks of MCP – Upwind
Modern AI models need real-time context to act like true assistants, but they can’t access live data or events on their own. This article explains how emerging methods like RAG, agent frameworks, and tool use fill that gap — but all depend on a reliable protocol. It sets the stage for why systems like MCP are essential for enabling secure, context-aware AI.
Layered Threat Mitigations – Wael Saideni
This article explores the rising urgency of securing AI agents as they evolve into tool-using, real-time systems—and positions MCP as a critical infrastructure layer. While MCP enables powerful integration between models, tools, and data, it introduces new security risks. The post provides a detailed breakdown of threat types and mitigation strategies based on recent academic research.
Securing AI’s New Frontier – OWASP GenAI
The OWASP GenAI Security Project emphasizes fast, collaborative security guidance for emerging AI technologies like MCP. This article explains how MCP opens new security risks due to its real-time integrations and rapid adoption—and how OWASP is responding with timely advice, even before formal standards are finalized. It highlights the balance between agility and thoroughness in community-driven security work.
Security Considerations – Writer
This article explains MCP in simple terms for engineers and tech leaders, showing how it connects LLMs with sensitive systems and APIs. It warns that without strong safeguards, attackers can manipulate AI agents into performing harmful actions like exfiltrating data or executing commands. The piece concludes with actionable recommendations for making MCP secure in enterprise environments.
Research & Standards for MCP Security
This article explains a key misunderstanding in MCP’s current authorization approach—specifically, the unnecessary conflation of the resource server and the authorization server roles. Drawing on OAuth standards, the author advocates for clearer separation of responsibilities to simplify implementation and align better with enterprise security practices.
Mitigating MCP Risks – arXiv:2504.12757
This research introduces MCP Guardian, a framework that enhances security across MCP communications with features like authentication, WAF scanning, logging, and rate limiting. It tackles real-world threats posed by malicious or compromised tool servers, offering a defense-in-depth model. The framework supports scalable, secure data access for AI assistants while maintaining low overhead.
Defense Strategies for Agentic Systems – arXiv:2504.19997
Targeted at enterprise environments, this paper proposes the MCP Gateway—a secure architecture for self-hosting MCP servers without exposing sensitive infrastructure. It incorporates authentication, secure tunneling, and intrusion detection to support robust AI tool integration. The work includes a reference design, threat model, and practical open-source tools for secure deployments.
Tools for MCP Security and Testing
Offensive Tools:
MCPSafetyScanner is a safety auditor for Model Contenxt Protocol (MCP) servers. Point it at your MCP server config file and the software will use multiple agents to audit your setup and produce a safety report. Developers can use this info to patch exploits and users can use this info to harden their system.
MCP-Scan is a security scanning tool to both statically and dynamically scan and monitor your MCP connections. It checks them for common security vulnerabilities like prompt injections, tool poisoning and cross-origin escalations.
This repository is intended for educational purposes to demonstrate the potential security risks in MCP implementations, and how to recognize and prevent security issues.
Defensive Tools:
MCP Gateway is a lightweight and highly available gateway service written in Go. It enables individuals and organizations to convert their existing MCP Servers and APIs into services compliant with the MCP Protocol — all through configuration, with zero code changes.
Educational Resources:
damn-vulnerable-MCP-server – GitHub
The Damn Vulnerable Model Context Protocol (DVMCP) is an educational project designed to demonstrate security vulnerabilities in MCP implementations. It contains 10 challenges of increasing difficulty that showcase different types of vulnerabilities and attack vectors.
This project is an intentionally vulnerable MCP app, designed for security research.
Article & Commentary on MCP Security
Security Rakes in MCP – Den.dev
This brief commentary highlights a crucial gap in the public conversation around MCP security. While praising MCP’s potential and community momentum, the author warns against overlooking basic security principles amid widespread excitement—urging users to temper innovation with thoughtful threat awareness.
Subscribe for updates
Stay up to date with what is happening! Get a first look at news, noteworthy research and worst attacks on AI delivered right in your inbox.
Previous post
insert_link
share
close
Towards Secure AI Week 17 — AI Guardrails Under Pressure as Jailbreaking Techniques Advance
Enterprise use of generative AI is expanding, but so is the sophistication of attacks targeting these systems. New jailbreak methods are achieving nearly 100% success rates, even on well-aligned models ...
