MCP-in-SoS: Risk assessment framework for open-source MCP servers

TL;DR

This paper presents a systematic risk assessment framework for open-source MCP servers, highlighting prevalent security weaknesses and emphasizing the importance of secure development practices for dependable LLM agent deployment.

Contribution

It introduces a novel risk assessment framework combining static code analysis with threat mapping for open-source MCP servers, filling a gap in large-scale security evaluations.

Findings

Many open-source MCP servers contain exploitable weaknesses.

Weaknesses can compromise confidentiality, integrity, and availability.

The framework helps prioritize security improvements.

Abstract

Model Context Protocol (MCP) servers have rapidly emerged over the past year as a widely adopted way to enable Large Language Model (LLM) agents to access dynamic, real-world tools. As MCP servers proliferate and become easy to adopt via open-source releases, understanding their security risks becomes essential for dependable production agent deployments. Recent work has developed MCP threat taxonomies, proposed mitigations, and demonstrated practical attacks. However, to the best of our knowledge, no prior study has conducted a systematic, large-scale assessment of weaknesses in open-source MCP servers. Motivated by this gap, we apply static code analysis to identify Common Weakness Enumeration (CWE) weaknesses and map them to common attack patterns and threat categories using the MITRE Common Attack Pattern Enumerations and Classifications (CAPEC) to ground risk in real-world threats. We then introduce a risk-assessment framework for the MCP landscape that combines these threats using a multi-metric scoring of likelihood and impact. Our findings show that many open-source MCP servers contain exploitable weaknesses that can compromise confidentiality, integrity, and availability, underscoring the need for secure-by-design MCP server development.