"MCP Does Not Stand for Misuse Cryptography Protocol": Uncovering Cryptographic Misuse in Model Context Protocol at Scale
Biwei Yan, Yue Zhang, Minghui Xu, Hao Wu, Yechao Zhang, Kun Li, Guoming Zhang, Xiuzhen Cheng
TL;DR
This work addresses cryptographic misuse in Model Context Protocol (MCP) by introducing MICRYSCOPE, a domain-specific framework that unifies cross-language cryptographic analysis, reconstructs both explicit and implicit dependencies via a hybrid must/may graph, and tracks data flows with taint analysis. Applied to 9,403 MCP servers, MICRYSCOPE identifies 720 crypto-enabled servers, with 19.7% exhibiting misuses concentrated in Python, Developer Tools, and Data Science & ML categories, including real-world cases such as leaked API keys and insecure DES/ECB usage. The paper provides a large-scale ecosystem view, detailed methodology, and case studies that underscore the security risks from cryptographic neglect in MCP-enabled AI workflows. It also discusses limitations (dynamic parameter generation, wrapped APIs) and argues for protocol-level defenses and improved developer guidance to strengthen MCP as secure middleware for agentic AI.
Abstract
The Model Context Protocol (MCP) is rapidly emerging as the middleware for LLM-based applications, offering a standardized interface for tool integration. However, its built-in security mechanisms are minimal: while schemas and declarations prevent malformed requests, MCP provides no guarantees of authenticity or confidentiality, forcing developers to implement cryptography themselves. Such ad hoc practices are historically prone to misuse, and within MCP they threaten sensitive data and services. We present MICRYSCOPE, the first domain-specific framework for detecting cryptographic misuses in MCP implementations. MICRYSCOPE combines three key innovations: a cross-language intermediate representation that normalizes cryptographic APIs across diverse ecosystems, a hybrid dependency analysis that uncovers explicit and implicit function relationships (including insecure runtime compositions orchestrated by LLMs) and a taint-based misuse detector that tracks sensitive data flows and flags violations of established cryptographic rules. Applying MICRYSCOPE to 9,403 MCP servers, we identified 720 with cryptographic logic, of which 19.7% exhibited misuses. These flaws are concentrated in certain markets (e.g., Smithery Registry with 42% insecure servers), languages (Python at 34% misuse rate), and categories (Developer Tools and Data Science & ML accounting for over 50% of all misuses). Case studies reveal real-world consequences, including leaked API keys, insecure DES/ECB tools, and MD5-based authentication bypasses. Our study establishes the first ecosystem-wide view of cryptographic misuse in MCP and provides both tools and insights to strengthen the security foundations of this rapidly growing protocol.