Invisible Threats from Model Context Protocol: Generating Stealthy Injection Payload via Tree-based Adaptive Search

Abstract

Recent advances in the Model Context Protocol (MCP) have enabled large language models (LLMs) to invoke external tools with unprecedented ease. This creates a new class of powerful and tool augmented agents. Unfortunately, this capability also introduces an under explored attack surface, specifically the malicious manipulation of tool responses. Existing techniques for indirect prompt injection that target MCP suffer from high deployment costs, weak semantic coherence, or heavy white box requirements. Furthermore, they are often easily detected by recently proposed defenses. In this paper, we propose Tree structured Injection for Payloads (TIP), a novel black-box attack which generates natural payloads to reliably seize control of MCP enabled agents even under defense. Technically, We cast payload generation as a tree structured search problem and guide the search with an attacker LLM operating under our proposed coarse-to-fine optimization framework. To stabilize learning and avoid local optima, we introduce a path-aware feedback mechanism that surfaces only high quality historical trajectories to the attacker model. The framework is further hardened against defensive transformations by explicitly conditioning the search on observable defense signals and dynamically reallocating the exploration budget. Extensive experiments on four mainstream LLMs show that TIP attains over 95% attack success in undefended settings while requiring an order of magnitude fewer queries than prior adaptive attacks. Against four representative defense approaches, TIP preserves more than 50% effectiveness and significantly outperforms the state-of-the-art attacks. By implementing the attack on real world MCP systems, our results expose an invisible but practical threat vector in MCP deployments. We also discuss potential mitigation approaches to address this critical security gap.

Figures (7)

• Figure 1: Attack scenario overview. A client relies on a third-party Model Context Protocol (MCP) server to provide structured inputs to its locally deployed LLM-based tool. An adversary compromising the MCP server delivers a stealthy update containing a semantically coherent prompt injection embedded within legitimate response fields. The local LLM interprets this adversarial context as trusted input, executing malicious instructions while bypassing client-side defenses due to the payload’s syntactic and semantic plausibility.
• Figure 2: Overview of the TIP framework for generating stealthy, transferable JSON payloads through a tree-based search. It includes three main stages: Branch, where tool response simulation and a dual coarse-to-fine strategy refine payload intent and structure; Prune, which evaluates candidates via transferability checks (e.g., Monte Carlo scoring) across diverse instructions and models; and Feedback & Iteration, optimizing payloads using path-aware feedback from historical high-scoring nodes.
• Figure 3: Cosine similarity between generated payloads and legitimate responses. TIP payloads exhibit higher semantic similarity to benign data, reducing the likelihood of detection.
• Figure 4: Comparison of training optimization curves between the baseline TAP and our proposed TIP. TAP suffers from local convergence, i.e., performance drops after initial peak, while our proposed TIP maintains a stable upward trend due to path-aware feedback.
• Figure 5: Tree-Structured optimization process for attack payload generation. The figure illustrates the iterative expansion of the search tree where each node represents a candidate payload with an associated score ranging from 0 to 1. Nodes are color coded based on their scores with red indicating low scores and yellow indicating high scores. The optimization process explores diverse payloads through branching and pruning which aims to converge towards high scoring nodes that maximize attack success rates.