Skip to main content
XOR
[MCP SECURITY]

MCP Server Security

17 attack types across 4 surfaces. 7.2% of 1,899 open-source MCP servers contain vulnerabilities. Technical deep-dive with defense controls.

Attack surface map

MCPSecBench identifies 17 attack types across 4 primary surfaces. The most common: tool poisoning, data exfiltration, and cross-system privilege escalation.

Real-world findings

A study of 1,899 open-source MCP servers found 7.2% contain general vulnerabilities and 5.5% exhibit MCP-specific tool poisoning (arXiv:2506.13538). 53% use insecure static secrets; only 8.5% use OAuth (Astrix Security).

17
Attack types identified
7.2%
MCP servers with vulnerabilities
1,899
Open-source servers studied

MCP server security: attack surfaces and defenses

Model Context Protocol (MCP) servers provide tools and data to AI agents. They're the primary integration point between agents and external services. Five arXiv papers and two industry reports document security gaps in this infrastructure. See agent attack landscape for the full threat surface.

Four attack categories

Source: arXiv:2506.02040

Tool Poisoning

Malicious tool descriptions trick agents into executing harmful actions. The tool name says one thing; the implementation does another. 36.5% average attack success rate; o1-mini: 72.8% (MCPTox benchmark).

Puppet Attacks

Hijacking agent behavior through crafted tool responses. The agent receives data that rewrites its instructions, redirecting subsequent actions to attacker-controlled servers.

Rug Pull Attacks

Post-install changes to tool behavior. The MCP server passes initial review, then alters its tool implementations after gaining trust. Traditional one-time audits don't catch this. Continuous governance is required.

Malicious External Resources

Tool results reference external URLs, files, or services controlled by the attacker. The agent follows these references, expanding the attack surface beyond the MCP protocol.

Real-world findings: 1,899 servers

Source: arXiv:2506.13538

7.2%

General vulnerabilities

5.5%

MCP-specific tool poisoning

53%

Using insecure static secrets

Source: Astrix Security

8.5%

Using OAuth

Source: Astrix Security

Defense controls

Source: arXiv:2511.20920

Scoped authentication

Restrict tool permissions to minimum required scope. No wildcard access.

Provenance tracking

Sign tool outputs with COSE_Sign1. Verify origin before acting on results.

Sandboxing

Isolate MCP server execution. No access to host filesystem, network, or other tools.

Data loss prevention

Monitor and block data exfiltration paths. Detect cross-tool data leakage.

Governance

Continuous verification, not one-time review. Rug pull attacks invalidate point-in-time audits. See agent governance for frameworks.

What XOR does

XOR's skill verification pipeline scans agent tools before execution, signs verified tools with COSE_Sign1, and produces SCITT provenance receipts. Unsigned or out-of-policy tools are blocked. See Building Secure Skills for the four-step checklist.

Sources

  • arXiv:2503.23278 — MCP: Landscape, Security Threats, and Future Research Directions
  • arXiv:2511.20920 — Securing the MCP: Risks, Controls, and Governance
  • arXiv:2506.02040 — Beyond the Protocol: Unveiling Attack Vectors in MCP
  • arXiv:2508.13220 — MCPSecBench: A Systematic Security Benchmark
  • arXiv:2506.13538 — MCP at First Glance: Security and Maintainability
  • Astrix Security, State of MCP Server Security 2025
  • MCPTox — Agent Tool Poisoning Benchmark (arXiv:2508.14925)

[NEXT STEPS]

Related pages

Building secure skills →Third-party risk overview →Standards overview →Agent attack landscape →

FAQ

What is an MCP server?

Model Context Protocol (MCP) servers provide tools and data to AI agents. They're the primary integration point between agents and external services. 1,899 open-source MCP servers exist today.

How vulnerable are MCP servers?

7.2% of 1,899 open-source MCP servers contain general vulnerabilities. 5.5% exhibit MCP-specific tool poisoning. 85%+ of identified attacks compromise at least one platform (MCPSecBench, arXiv:2508.13220).

What are the main MCP attack types?

Four categories: Tool Poisoning (malicious tool descriptions), Puppet Attacks (hijacking agent behavior), Rug Pull Attacks (post-install changes), and Malicious External Resources (arXiv:2506.02040).

[RELATED TOPICS]

Agentic Third-Party Risk

33% of enterprise software will be agentic by 2028. 40% of those projects will be canceled due to governance failures. A risk overview for CTOs.

Open source supply chain risk index

Composite risk ranking of 200 open source projects by ecosystem importance, supply chain risk, downstream reach, and structural context. 585,601 projects scored.

OWASP Top 10 for Agentic Applications

The OWASP Agentic Top 10 mapped to real-world attack data and XOR capabilities. A reference page for security teams.

How Verification Works

Test agents on real vulnerabilities before shipping fixes.

Automated Vulnerability Patching

AI agents generate fixes for known CVEs. XOR verifies each fix against the vulnerability before it ships.

Benchmark Results

62.7% pass rate. $2.64 per fix. Real data from 1,920 evaluations.

See which agents produce fixes that work

128 CVEs. 15 agents. 1,920 evaluations. Agents learn from every run.