Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MCPGuard : Automatically Detecting Vulnerabilities in MCP Servers

Bin Wang, Zexin Liu, Hao Yu, Ao Yang, Yenan Huang, Jing Guo, Huangsheng Cheng, Hui Li, Huiyu Wu

TL;DR

The paper analyzes security risks in the Model Context Protocol (MCP), which standardizes LLM interactions with external tools. It identifies three attack classes—protocol-induced agent hijacking, traditional web vulnerabilities in MCP servers, and supply chain threats—then surveys defense strategies such as server-side scanning and runtime interaction monitoring, including registry-based trust and policy enforcement. Key contributions include a structured threat taxonomy, evaluation of multiple defense frameworks (e.g., layered detectors, zero-trust registries, and policy-driven auditing), and the proposal of the AIG tool for automatic vulnerability detection. The work highlights that securing MCP requires defenses tailored to semantic, NL-based metadata and provides a practical roadmap for reducing risk in MCP-enabled AI ecosystems.

Abstract

The Model Context Protocol (MCP) has emerged as a standardized interface enabling seamless integration between Large Language Models (LLMs) and external data sources and tools. While MCP significantly reduces development complexity and enhances agent capabilities, its openness and extensibility introduce critical security vulnerabilities that threaten system trustworthiness and user data protection. This paper systematically analyzes the security landscape of MCP-based systems, identifying three principal threat categories: (1) agent hijacking attacks stemming from protocol design deficiencies; (2) traditional web vulnerabilities in MCP servers; and (3) supply chain security. To address these challenges, we comprehensively survey existing defense strategies, examining both proactive server-side scanning approaches, ranging from layered detection pipelines and agentic auditing frameworks to zero-trust registry systems, and runtime interaction monitoring solutions that provide continuous oversight and policy enforcement. Our analysis reveals that MCP security fundamentally represents a paradigm shift where the attack surface extends from traditional code execution to semantic interpretation of natural language metadata, necessitating novel defense mechanisms tailored to this unique threat model.

MCPGuard : Automatically Detecting Vulnerabilities in MCP Servers

TL;DR

The paper analyzes security risks in the Model Context Protocol (MCP), which standardizes LLM interactions with external tools. It identifies three attack classes—protocol-induced agent hijacking, traditional web vulnerabilities in MCP servers, and supply chain threats—then surveys defense strategies such as server-side scanning and runtime interaction monitoring, including registry-based trust and policy enforcement. Key contributions include a structured threat taxonomy, evaluation of multiple defense frameworks (e.g., layered detectors, zero-trust registries, and policy-driven auditing), and the proposal of the AIG tool for automatic vulnerability detection. The work highlights that securing MCP requires defenses tailored to semantic, NL-based metadata and provides a practical roadmap for reducing risk in MCP-enabled AI ecosystems.

Abstract

The Model Context Protocol (MCP) has emerged as a standardized interface enabling seamless integration between Large Language Models (LLMs) and external data sources and tools. While MCP significantly reduces development complexity and enhances agent capabilities, its openness and extensibility introduce critical security vulnerabilities that threaten system trustworthiness and user data protection. This paper systematically analyzes the security landscape of MCP-based systems, identifying three principal threat categories: (1) agent hijacking attacks stemming from protocol design deficiencies; (2) traditional web vulnerabilities in MCP servers; and (3) supply chain security. To address these challenges, we comprehensively survey existing defense strategies, examining both proactive server-side scanning approaches, ranging from layered detection pipelines and agentic auditing frameworks to zero-trust registry systems, and runtime interaction monitoring solutions that provide continuous oversight and policy enforcement. Our analysis reveals that MCP security fundamentally represents a paradigm shift where the attack surface extends from traditional code execution to semantic interpretation of natural language metadata, necessitating novel defense mechanisms tailored to this unique threat model.

Paper Structure

This paper contains 10 sections.

Table of Contents

  1. Introduction
  2. Model Context Protocol (MCP)
  3. MCP Attacks
  4. Indirect Prompt Injection
  5. Traditional Web Vulnerabilities in MCP Servers
  6. Supply Chain Security
  7. MCP Defenses
  8. Server-Side Scanning
  9. Interaction Monitoring
  10. Conclusion