Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents

TL;DR

This paper provides the first formal security analysis of the Model Context Protocol (MCP), revealing fundamental vulnerabilities and proposing a protocol extension to mitigate prompt injection and permission issues in tool-integrated LLM agents.

Contribution

It identifies core security flaws in MCP's design, introduces MCPBench for attack surface measurement, and proposes MCPSec, a protocol extension that significantly improves security.

Findings

MCP vulnerabilities increase attack success rates by 23-41%.

MCPSec reduces attack success from 52.8% to 12.4%.

Security issues are architectural, not implementation-specific.

Abstract

The Model Context Protocol (MCP) has emerged as a de facto standard for integrating Large Language Models with external tools, yet no formal security analysis of the protocol specification exists. We present the first rigorous security analysis of MCP's architectural design, identifying three fundamental protocol-level vulnerabilities: (1) absence of capability attestation allowing servers to claim arbitrary permissions, (2) bidirectional sampling without origin authentication enabling server-side prompt injection, and (3) implicit trust propagation in multi-server configurations. We implement \textsc{MCPBench}, a novel framework bridging existing agent security benchmarks to MCP-compliant infrastructure, enabling direct measurement of protocol-specific attack surfaces. Through controlled experiments on 847 attack scenarios across five MCP server implementations, we demonstrate that MCP's architectural choices amplify attack success rates by 23--41\% compared to equivalent non-MCP integrations. We propose \textsc{MCPSec}, a backward-compatible protocol extension adding capability attestation and message authentication, reducing attack success rates from 52.8\% to 12.4\% with median latency overhead of 8.3ms per message. Our findings establish that MCP's security weaknesses are architectural rather than implementation-specific, requiring protocol-level remediation.