How MCP security failures become real-world breaches
As MCP adoption surges across big tech and critical industries, security debt is turning small missteps into full-blown incidents. From tool description prompt injection to shoddy OAuth and poisoned packages, attackers are exploiting invisible seams in the protocol and its implementations. The latest spec tightens guidance, but uneven adoption means teams must harden configurations, lock down scopes, and treat every tool like a potential adversary.
Points clés
- Anthropic’s MCP, introduced in late 2024, is now supported by Microsoft, OpenAI, Google, Amazon, and widely used across Autogen, LangChain, Replit, Claude Desktop, GitHub Copilot, and VS Code, with thousands of public and private servers in the wild.
- The MCP v2025-06-18 spec mandates OAuth 2.0/2.1, Resource Indicators (RFC 8707), explicit user consent, and bans token passthrough—yet many implementations lag these requirements.
- Tool description injection turns natural-language metadata into a stealth attack surface; Tenable demonstrated effective prompt injection, and OWASP rates prompt injection as the top LLM threat.
- Authentication remains weak in practice: 492 MCP servers were found exposed without authentication, with common flaws including plaintext token storage, session IDs in URLs, and missing request validation.
- Supply chain risk is acute: the mcp-remote npm package carried CVE‑2025‑6514 (CVSS 9.6) enabling command injection; it exceeded 558,000 downloads before the fix in version 0.1.16.
- Backslash’s June 2025 “NeighborJack” misconfig bound servers to 0.0.0.0, exposing OS command execution paths and enabling host takeover.
- Supabase’s mid‑2025 “lethal trifecta” incident saw a Cursor agent with service_role access parse untrusted support tickets as SQL, leaking integration tokens publicly.
- In June 2025, Asana paused a new MCP feature after a cross‑tenant data leak, taking the integration offline for two weeks while patching.
- GitHub MCP agents were coerced via hidden instructions in public issues to enumerate and leak private repo data; Invariant Labs dubbed the pattern “toxic agent flow.”
- Practical mitigations emphasized include rigorous code/schema review, version pinning, signed or containerized distributions, granular per-tool scopes, minimal tool exposure, and observability; constraints like Cursor’s 30‑tool cap are prompting “universal” servers such as Composio’s Rube.
À retenir
Lock down OAuth 2.1, stop binding services to 0.0.0.0, trim tool scopes to the absolute minimum, and pin everything like your uptime depends on it—because it does. Treat every tool description as a charming liar, keep a human in the loop for sensitive actions, and log obsessively so you can spot the gremlins before they redecorate your infrastructure. Do this, and you’ll sleep better; don’t, and your AI agent might start “helpfully” cURLing your secrets to someone else’s party.
Sources
