MCP Security Digest — June 2025

MCP Security is a top concern for anyone building Agentic AI systems. The Model Context Protocol (MCP) connects tools, agents, and actions. It plays a role similar to TCP/IP—but for autonomous workflows. If MCP is compromised, the entire agent stack is at risk. Attackers can inject prompts, hijack tools, and reroute agent behavior.

In this digest, we explain why MCP Security matters now—and how to defend against the growing wave of real-world threats.

Attacks & Vulnerabilities

Model Context Protocol: Security Risks and Exploits

This post explains how the dynamic nature of the Model Context Protocol (MCP) introduces prompt injection and confused deputy risks, effectively letting malicious servers control AI clients. The author demonstrates a novel exploit chain and highlights the inherent vulnerabilities in tool discovery and invocation. It underscores that even secure-looking setups can be hijacked if tool inputs are not strictly controlled.

Prompt Injection and Execution Attacks on MCP

This academic paper introduces a new attack called MPMA, where a malicious MCP server manipulates LLMs to prefer it over others for economic gain. The attack uses prompt and tool description manipulation, including a stealthier genetic algorithm variant (GAPMA), to bias LLM choices. The study warns that open MCP ecosystems are vulnerable to subtle manipulation and require better defense mechanisms.

Exploiting GitHub Misconfigurations in MCP Servers

Defensive Tools & Frameworks for MCP Security

Secure MCP Gateway Architecture (arXiv)

This paper outlines a practical security framework for safely deploying MCP in enterprise environments. Building on earlier research, the authors identify key risks like tool poisoning and provide threat modeling, implementation strategies, and defense-in-depth patterns tailored to real-world MCP use. The goal is to translate theoretical risks into actionable enterprise-grade controls for secure AI integration and governance.

Python SDK for Secure MCP Integrations

A Python implementation of the Model Context Protocol (MCP) with Enhanced Tool Definition Interface (ETDI) security extensions that seamlessly integrates with existing MCP infrastructure.

Threat Models and Risk Analysis of MCP Security

Security Risks in MCP (Analytics Vidhya)

This article explains how the Model Context Protocol (MCP), often referred to as the “USB-C for AI agents,” introduces new attack surfaces for LLM-based tools. The author identifies six major vulnerabilities, including side-channel attacks and insecure tool integrations, that can compromise secrets and infrastructure. Each risk is explained with potential impact and mitigation strategies.

MCP Security in 2025 – Part 1 (PromptHub)

Leidos researchers detail how MCP can be exploited for command injection, unauthorized access, and credential theft using models like Claude and Llama. Their analysis shows that 43% of MCP servers had injection flaws, and they propose an AI-based tool for vulnerability scanning. The study highlights the tension between MCP’s flexibility and its significant security risks.

5 MCP Security Tips (NCC Group)

This blog provides a technical breakdown of how function calling works in MCP and the associated security risks. It clarifies common misconceptions about LLMs directly invoking tools and explains how agents translate model output into tool calls. The article includes best practices for securing these interactions and understanding MCP’s under-the-hood architecture.

Building a Safer Agentic Future on Windows

Microsoft introduces MCP support in Windows 11 and outlines a roadmap for building secure agentic systems. The post identifies critical threats like cross-prompt injection, credential leakage, and command execution risks. It emphasizes the need for authentication, containment, and MCP server vetting to support safe and scalable AI workflows.

Authentication for MCP

Spring AI MCP Client with OAuth2

MCP Security 101: Introductory Guides

Security Risks & Mitigations Overview

This guide outlines the major security vulnerabilities introduced by the Model Context Protocol (MCP) in LLM-based systems, including prompt injection, tool poisoning, and token theft. It explains how MCP structures context and task inputs for LLMs and details practical strategies to mitigate associated risks like rug pulls and consent fatigue. The goal is to ensure safe and robust deployment of AI tools using MCP.

Security 101: Model Context Protocol

This beginner-friendly post covers key security risks in MCP implementations, such as prompt injection, context hijacking, and identity spoofing. It emphasizes the importance of applying cybersecurity and data governance principles to secure AI-agent interactions with tools and data. The article provides concise examples and serves as a foundational primer for enterprise teams working with MCP.

MCP Security Resources & Test Kits

Vulnerable MCP Server for Penetration Testing

This project tracks known vulnerabilities within MCP servers. The website is designed to be easily updated by modifying a markdown file instead of directly editing HTML.

Subscribe for updates

Stay up to date with what is happening! Plus, get a first look at news, noteworthy research, and the worst attacks on AI—delivered right to your inbox.