Beyond the Protocol: Unveiling Attack Vectors in the Model Context Protocol Ecosystem
Abstract
A systematic study identifies and evaluates several attack vectors targeting the Model Context Protocol ecosystem, highlighting vulnerabilities and the need for enhanced security measures.
The Model Context Protocol (MCP) is an emerging standard designed to enable seamless interaction between Large Language Model (LLM) applications and external tools or resources. Within a short period, thousands of MCP services have already been developed and deployed. However, the client-server integration architecture inherent in MCP may expand the attack surface against LLM Agent systems, introducing new vulnerabilities that allow attackers to exploit by designing malicious MCP servers. In this paper, we present the first systematic study of attack vectors targeting the MCP ecosystem. Our analysis identifies four categories of attacks, i.e., Tool Poisoning Attacks, Puppet Attacks, Rug Pull Attacks, and Exploitation via Malicious External Resources. To evaluate the feasibility of these attacks, we conduct experiments following the typical steps of launching an attack through malicious MCP servers: upload-download-attack. Specifically, we first construct malicious MCP servers and successfully upload them to three widely used MCP aggregation platforms. The results indicate that current audit mechanisms are insufficient to identify and prevent the proposed attack methods. Next, through a user study and interview with 20 participants, we demonstrate that users struggle to identify malicious MCP servers and often unknowingly install them from aggregator platforms. Finally, we demonstrate that these attacks can trigger harmful behaviors within the user's local environment-such as accessing private files or controlling devices to transfer digital assets-by deploying a proof-of-concept (PoC) framework against five leading LLMs. Additionally, based on interview results, we discuss four key challenges faced by the current security ecosystem surrounding MCP servers. These findings underscore the urgent need for robust security mechanisms to defend against malicious MCP servers.
Community
Hi everyone! ๐
We're excited to share our research on MCP security! This is the first (submitted on May 31) systematic study identifying and characterizing four primary attack patterns within the Model Context Protocol (MCP) framework.
Taking an attacker's perspective, we conducted comprehensive experiments that revealed vulnerabilities across existing MCP aggregation platforms, users, and LLMs themselves. Our findings demonstrate the feasibility of MCP-based attacks and uncover some fascinating insights - like how LLMs have an inherent trust in tool calls, suggesting that model developers should incorporate adversarial malicious tool samples during RL and SFT phases when enhancing tool-calling capabilities.
๐ฌ Resources:
- Full source code, user study details, and experimental data: https://github.com/MCP-Security/MCP-Artifact
- We built a simulation platform mimicking popular MCP aggregators: https://www.mcp-servers.shop
For ethical reasons, we've removed 4 of the 13 malicious MCP servers used in our user study from the simulation platform, but you can find them in our GitHub repo if needed for research purposes.
Hope this work helps strengthen the MCP ecosystem's security! Feel free to reach out if you have any questions.
Citation:
@misc
{song2025protocolunveilingattackvectors,
title={Beyond the Protocol: Unveiling Attack Vectors in the Model Context Protocol Ecosystem},
author={Hao Song and Yiming Shen and Wenxuan Luo and Leixin Guo and Ting Chen and Jiashui Wang and Beibei Li and Xiaosong Zhang and Jiachi Chen},
year={2025},
eprint={2506.02040},
archivePrefix={arXiv},
primaryClass={cs.CR},
url={https://arxiv.org/abs/2506.02040}
}
Models citing this paper 0
No model linking this paper
Datasets citing this paper 0
No dataset linking this paper
Spaces citing this paper 0
No Space linking this paper
Collections including this paper 0
No Collection including this paper