Model Context Protocol (MCP) at First Glance: Studying the Security and Maintainability of MCP Servers

TL;DR

This study empirically evaluates the security and maintainability of 1,899 open-source MCP servers, revealing vulnerabilities and emphasizing the need for MCP-specific security measures and better ecosystem governance.

Contribution

First large-scale empirical analysis of MCP servers assessing health, security, and maintainability, highlighting unique vulnerabilities and proposing targeted detection and governance strategies.

Findings

Identified eight distinct vulnerabilities, three overlapping with traditional software issues.

7.2% of servers contain general vulnerabilities, 5.5% have MCP-specific tool poisoning.

66% of servers exhibit code smells, with 14.4% showing overlapping bug patterns.

Abstract

Although Foundation Models (FMs), such as GPT-4, are increasingly used in domains like finance and software engineering, reliance on textual interfaces limits these models' real-world interaction. To address this, FM providers introduced a tool called -- triggering a proliferation of frameworks with distinct tool interfaces. In late 2024, Anthropic introduced the Model Context Protocol (MCP) to standardize this tool ecosystem. MCP is rapidly emerging as a de facto industry standard. Despite its adoption, MCP's AI-driven, non-deterministic control flow introduces new risks to sustainability, security, and maintainability, warranting closer examination. Towards this end, we present the first large-scale empirical study of MCP. Using state-of-the-art health metrics and a hybrid analysis pipeline that combines a general-purpose static analysis tool with an MCP-specific scanner, we evaluate 1,899 open-source MCP servers to assess their health, security, and maintainability. Despite MCP servers demonstrating strong health metrics, we identify eight distinct vulnerabilities -- only three of which overlap with traditional software vulnerabilities. Additionally, 7.2% of servers contain general vulnerabilities, and 5.5% exhibit MCP-specific tool poisoning. Regarding maintainability, while 66% exhibit code smells, 14.4% contain ten bug patterns overlapping prior research. These findings highlight the need for MCP-specific vulnerability detection techniques while reaffirming the value of traditional analysis and refactoring practices. Furthermore, we advocate for stronger governance across the MCP ecosystem by incorporating MCP-specific vulnerabilities into standardized vulnerability databases, enabling automated security scanning within MCP registries, and promoting responsible development practices to ensure the long-term safety and sustainability of the MCP ecosystem.