Compatibility at a Cost: Systematic Discovery and Exploitation of MCP Clause-Compliance Vulnerabilities

TL;DR

This paper systematically analyzes vulnerabilities in the MCP interoperability standard, revealing how relaxed clauses enable attacks like prompt injection and DoS, and proposes a framework for detection and analysis.

Contribution

It introduces a universal IR generator and a static analysis framework with LLM guidance to identify MCP clause compliance issues across multiple languages.

Findings

Identified multiple MCP vulnerabilities enabling attacks

Developed a language-agnostic IR for SDK normalization

Created a modality-guided pipeline for vulnerability detection

Abstract

The Model Context Protocol (MCP) is a recently proposed interoperability standard that unifies how AI agents connect with external tools and data sources. By defining a set of common client-server message exchange clauses, MCP replaces fragmented integrations with a standardized, plug-and-play framework. However, to be compatible with diverse AI agents, the MCP specification relaxes many behavioral constraints into optional clauses, leading to misuse-prone SDK implementation. We identify it as a new attack surface that allows adversaries to achieve multiple attacks (e.g, silent prompt injection, DoS, etc.), named as \emph{compatibility-abusing attacks}. In this work, we present the first systematic framework for analyzing this new attack surface across multi-language MCP SDKs. First, we construct a universal and language-agnostic intermediate representation (IR) generator that normalizes SDKs of different languages. Next, based on the new IR, we propose auditable static analysis with LLM-guided semantic reasoning for cross-language/clause compliance analysis. Third, by formalizing the attack semantics of the MCP clauses, we build three attack modalities and develop a modality-guided pipeline to uncover exploitable non-compliance issues.