Systematic Analysis of MCP Security

TL;DR

This paper systematically analyzes the security vulnerabilities of the Model Context Protocol (MCP) by creating an attack library, categorizing attack methods, and empirically evaluating their effectiveness to inform better defense strategies.

Contribution

It introduces the MCP Attack Library (MCPLIB), a comprehensive taxonomy of 31 attack methods, and provides empirical analysis of MCP vulnerabilities to improve security measures.

Findings

Agents rely heavily on tool descriptions, leading to vulnerabilities.

File-based attacks can exploit MCP systems effectively.

Chain attacks can manipulate shared context to deceive agents.

Abstract

The Model Context Protocol (MCP) has emerged as a universal standard that enables AI agents to seamlessly connect with external tools, significantly enhancing their functionality. However, while MCP brings notable benefits, it also introduces significant vulnerabilities, such as Tool Poisoning Attacks (TPA), where hidden malicious instructions exploit the sycophancy of large language models (LLMs) to manipulate agent behavior. Despite these risks, current academic research on MCP security remains limited, with most studies focusing on narrow or qualitative analyses that fail to capture the diversity of real-world threats. To address this gap, we present the MCP Attack Library (MCPLIB), which categorizes and implements 31 distinct attack methods under four key classifications: direct tool injection, indirect tool injection, malicious user attacks, and LLM inherent attack. We further conduct a quantitative analysis of the efficacy of each attack. Our experiments reveal key insights into MCP vulnerabilities, including agents' blind reliance on tool descriptions, sensitivity to file-based attacks, chain attacks exploiting shared context, and difficulty distinguishing external data from executable commands. These insights, validated through attack experiments, underscore the urgency for robust defense strategies and informed MCP design. Our contributions include 1) constructing a comprehensive MCP attack taxonomy, 2) introducing a unified attack framework MCPLIB, and 3) conducting empirical vulnerability analysis to enhance MCP security mechanisms. This work provides a foundational framework, supporting the secure evolution of MCP ecosystems.