Unsafe by Flow: Uncovering Bidirectional Data-Flow Risks in MCP Ecosystem
Xinyi Hou, Yanjie Zhao, Haoyu Wang
TL;DR
This paper introduces MCP-BiFlow, a static analysis tool that effectively detects bidirectional data-flow vulnerabilities in MCP ecosystem, outperforming existing analyzers by leveraging protocol-specific taint modeling.
Contribution
The paper presents MCP-BiFlow, a novel MCP-aware static analysis framework that accurately uncovers bidirectional data-flow risks in MCP servers, addressing limitations of prior tools.
Findings
MCP-BiFlow achieves 93.8% recall on 32 vulnerability cases.
It surfaces 549 candidate clusters across 15,452 repositories.
Manual review confirms 118 vulnerability paths in 87 servers.
Abstract
Model Context Protocol (MCP) have quickly become the interface layer between LLM agents and external tools, yet they also introduce unsafe data flows that existing analyzers handle poorly. Vulnerabilities manifest in two directions: requester-controlled arguments may propagate to sensitive operations, while untrusted external or sensitive internal data may surface through MCP-visible outputs and subsequently influence host or model behavior. Accurate detection is complicated by the heterogeneous registration and dispatch patterns MCP servers employ, the need for MCP-specific taint semantics, and the fact that bugs often only materialize along complete tool-scoped execution paths. We present MCP-BiFlow, a bidirectional static analysis framework built around MCP-aware entrypoint recovery, protocol-specific taint modeling, and interprocedural propagation analysis. Against a benchmark of 32…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.