Table of Contents
Fetching ...

Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents

Narek Maloyan, Dmitry Namiot

TL;DR

This work provides the first formal security analysis of the Model Context Protocol (MCP), identifying three protocol-level vulnerabilities that amplify attack success relative to non-MCP integrations. It introduces ProtoAmp to quantify protocol-induced amplification across 847 scenarios and demonstrates substantial security gains from a backward-compatible AttestMCP extension featuring capability attestation, message authentication, and origin tagging. The results show MCP can significantly elevate ASR, especially in cross-server contexts, but AttestMCP reduces overall ASR from 52.8% to 12.4% with modest latency overhead. Practically, the paper argues for protocol-level remediation and outlines evolving trust models (federated CAs) and migration paths to improve the security of tool-integrated LLM agents as MCP adoption scales.

Abstract

The Model Context Protocol (MCP) has emerged as a de facto standard for integrating Large Language Models with external tools, yet no formal security analysis of the protocol specification exists. We present the first rigorous security analysis of MCP's architectural design, identifying three fundamental protocol-level vulnerabilities: (1) absence of capability attestation allowing servers to claim arbitrary permissions, (2) bidirectional sampling without origin authentication enabling server-side prompt injection, and (3) implicit trust propagation in multi-server configurations. We implement \textsc{MCPBench}, a novel framework bridging existing agent security benchmarks to MCP-compliant infrastructure, enabling direct measurement of protocol-specific attack surfaces. Through controlled experiments on 847 attack scenarios across five MCP server implementations, we demonstrate that MCP's architectural choices amplify attack success rates by 23--41\% compared to equivalent non-MCP integrations. We propose \textsc{MCPSec}, a backward-compatible protocol extension adding capability attestation and message authentication, reducing attack success rates from 52.8\% to 12.4\% with median latency overhead of 8.3ms per message. Our findings establish that MCP's security weaknesses are architectural rather than implementation-specific, requiring protocol-level remediation.

Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents

TL;DR

This work provides the first formal security analysis of the Model Context Protocol (MCP), identifying three protocol-level vulnerabilities that amplify attack success relative to non-MCP integrations. It introduces ProtoAmp to quantify protocol-induced amplification across 847 scenarios and demonstrates substantial security gains from a backward-compatible AttestMCP extension featuring capability attestation, message authentication, and origin tagging. The results show MCP can significantly elevate ASR, especially in cross-server contexts, but AttestMCP reduces overall ASR from 52.8% to 12.4% with modest latency overhead. Practically, the paper argues for protocol-level remediation and outlines evolving trust models (federated CAs) and migration paths to improve the security of tool-integrated LLM agents as MCP adoption scales.

Abstract

The Model Context Protocol (MCP) has emerged as a de facto standard for integrating Large Language Models with external tools, yet no formal security analysis of the protocol specification exists. We present the first rigorous security analysis of MCP's architectural design, identifying three fundamental protocol-level vulnerabilities: (1) absence of capability attestation allowing servers to claim arbitrary permissions, (2) bidirectional sampling without origin authentication enabling server-side prompt injection, and (3) implicit trust propagation in multi-server configurations. We implement \textsc{MCPBench}, a novel framework bridging existing agent security benchmarks to MCP-compliant infrastructure, enabling direct measurement of protocol-specific attack surfaces. Through controlled experiments on 847 attack scenarios across five MCP server implementations, we demonstrate that MCP's architectural choices amplify attack success rates by 23--41\% compared to equivalent non-MCP integrations. We propose \textsc{MCPSec}, a backward-compatible protocol extension adding capability attestation and message authentication, reducing attack success rates from 52.8\% to 12.4\% with median latency overhead of 8.3ms per message. Our findings establish that MCP's security weaknesses are architectural rather than implementation-specific, requiring protocol-level remediation.
Paper Structure (35 sections, 1 figure, 10 tables)