The MCP Server Vulnerability Landscape: Mapping Threats Across 3,601 Servers
Using inspection data from 3,601 MCP servers, we map the structure of 19 attack patterns, classify server functions, and outline design conditions associated with lower observed risk. Vulnerability analysis series, part 1.
Terminology
| Term | Meaning |
|---|---|
| MCP server | An endpoint that AI agents connect to for external capabilities (Model Context Protocol) |
| Attack pattern | A classified threat type that can be exploited against MCP servers. This report defines 19 types |
| Server function category | Classification of MCP servers by the type of capability they provide (file operations, API integration, etc.) |
| Attack surface | The set of operations and input paths a server exposes. More functions mean a wider attack surface |
| Detection layer | The verification stage at which a threat is detected: declaration, code, or runtime |
Lead
When discussing MCP server security, simply stating that "dangerous servers exist" does not provide organizations with sufficient information for deployment decisions. What is needed is a structural understanding: what kinds of servers carry what kinds of threats, and at what frequency.
This series analyzes MCP server threats through multiple lenses, using inspection data from 3,601 servers. This first installment provides an overall landscape view. We present the classification framework for 19 attack patterns, categorize MCP server functions, and map the intersection between server capabilities and threat exposure — establishing the analytical foundation for the rest of the series.
Our previous report ("We Inspected 3,601 MCP Servers — Here Is What We Found") established that 70% of servers in a detailed sample triggered warnings or higher. This series digs into the structure behind that 70% — what is detected, why, and where.
Key Findings
- The 19 attack patterns group into 5 categories. The widest attack surface belongs to "Code Execution & System Access" (Path Traversal, Shell RCE, Argument Injection).
- Code Execution servers face 13 of 19 threats — the widest attack surface. Even the lowest observed-risk category (Monitoring) faces 7/19. No server function is automatically low-risk.
- MCP server functions classify into 12 categories. Most servers span multiple categories ("composite" servers are the norm).
- 6 of the 19 attack patterns are specific to AI/MCP protocols and cannot be addressed by traditional web security tools.
- 6 patterns including Tool Poisoning and Supply Chain apply universally across all server types regardless of function.
- Threat matching results across 3,601 servers (actual detection frequency per pattern) will be presented in the next installment.
Background: Structural Characteristics of the MCP Server Ecosystem
A Rapidly Growing Ecosystem
MCP was released by Anthropic in late 2024 and rapidly became the de facto standard for AI agent development from the second half of 2025. Thousands of MCP servers are now published through npm, PyPI, and GitHub, covering everything from file operations to cloud infrastructure management.
This growth rate structurally creates a situation where security verification cannot keep pace. Developers have strong incentives to publish MCP servers (gaining users, contributing to the community), but no established framework exists for third-party security verification of these servers.
The Critical Difference From Traditional Package Security
Security inspection of npm packages or Python libraries traditionally centers on dependency vulnerability checks — matching against CVE databases. However, the risks posed by MCP servers cannot be fully captured by this approach.
MCP server-specific risk factors include:
- Permission delegation to AI agents: MCP servers are not mere libraries — they are gateways that grant operational permissions to AI agents. File deletion, command execution, data transmission to external services — the impact scope is fundamentally broader than traditional library dependencies.
- Declaration-implementation divergence: There is no guarantee that an MCP server's tool definitions (declarations) match its actual code implementation. A server declaring "read-only" access while performing write operations cannot be detected through metadata inspection alone.
- Dynamic runtime behavior: Even servers that look lower-risk in static code analysis may dynamically change network destinations at runtime or alter behavior based on external instructions.
- Cross-server orchestration: When multiple MCP servers operate in coordination, individually lower-risk servers may still create data leakage or privilege escalation risks through their interaction patterns.
These characteristics necessitate a multi-layered approach combining declaration-level, code-level, and runtime-level verification for MCP server security inspection.
MCP Server Function Classification
To structurally understand MCP server threats, we must first map what kinds of servers exist. Server functions extracted from the 3,601-server inspection dataset can be classified into 12 categories.
| Category | Function | Representative Use Cases |
|---|---|---|
| Filesystem Operations | Read, write, delete, and search files | Local file management, document processing |
| Database Connectivity | SQL/NoSQL database queries | PostgreSQL, SQLite, MongoDB operations |
| API/Web Integration | External service API calls | GitHub, Slack, Notion, Jira integration |
| Code Execution | Program execution and evaluation | Python/Node.js runtime, shell operations |
| Search & Retrieval | Information gathering from web and data sources | Web search, data scraping |
| AI/LLM Orchestration | AI model invocation and management | Model orchestration, prompt management |
| Cloud Infrastructure | Cloud resource operations | AWS, GCP, Azure resource management |
| Version Control | Source code management | Git operations, repository management |
| Communication | Messaging service integration | Email, chat operations |
| Authentication & Access Control | Authentication flows and credential management | OAuth integration, token management |
| Data Transformation | Data conversion, aggregation, processing | ETL pipelines, format conversion |
| Monitoring & Logging | System monitoring and log management | Log collection, metrics retrieval |
Functional Overlap and Composability
In practice, MCP servers rarely fit into a single category. A GitHub integration server, for example, spans "API/Web Integration," "Version Control," and "Filesystem Operations." A database management server may combine "Database Connectivity" with "Filesystem Operations" (backups) and "Code Execution" (migration scripts).
This composability complicates threat assessment. Evaluating risk based on a single category misses attack paths through other functional categories. Therefore, MCP server threat analysis must cover all function categories that a server implements.
The 19 Attack Patterns: Understanding Through 5 Categories
MCP Guard defines 19 attack patterns and monitors them through 176+ check items. These attack patterns can be organized into 5 categories based on their nature and impact scope.
Category Structure
| Category | Attack Patterns | Characteristics |
|---|---|---|
| A: Code Execution & System Access | Path Traversal, Shell RCE, Argument Injection | Widest attack surface. Affects the majority of servers with file or command capabilities |
| B: Data Theft & Network Interception | Data Exfiltration, SSRF, MITM, DNS Rebinding | Targets all servers with network communication. Directly leads to information leakage |
| C: AI/MCP-Specific | Tool Poisoning, Tool Name Collision, Prompt Injection, Function Hijacking, Indirect Theft, PleaseFix Attack | Unique to MCP protocol. Undetectable by traditional security tools |
| D: Permission & Resource Abuse | Clawdrain, OAuth Scope Abuse, Insecure Plugin Design | Targets excessive permission grants and resource consumption. Direct operational cost impact |
| E: Supply Chain & Persistence | Supply Chain, Rug Pull, Unicode Injection | Threats that manifest over time. May be undetectable in initial inspection |
Category A: Code Execution & System Access
Path Traversal exploits file path handling to access files outside the intended scope. This attack type has the widest target surface among MCP servers because file operations are a fundamental MCP capability — most servers accept file paths in some form.
Shell RCE (Remote Code Execution) achieves arbitrary code execution through child process spawning or eval-family functions. Python's subprocess, Node.js's child_process, and direct eval/exec usage are entry points for this threat. Code execution servers inherently face this risk, making input sanitization and permission restriction critical.
Argument Injection exploits command template expansion or argument concatenation to execute unintended operations. Less prevalent than Path Traversal or Shell RCE, but particularly dangerous in servers that wrap command-line tools.
Category B: Data Theft & Network Interception
Data Exfiltration involves the unauthorized outbound transmission of credentials or sensitive data. When HTTP request destinations contain user data, information can leak regardless of the server's declared functionality. Detection frequency is highest among API integration and web communication servers.
SSRF (Server-Side Request Forgery) uses the MCP server as a stepping stone to access internal network resources. For remotely hosted MCP servers, this creates a path to internal APIs and cloud metadata endpoints.
MITM and DNS Rebinding threaten communication path security. TLS verification bypass and DNS resolver pivoting for local network infiltration fall into this category.
Category C: AI/MCP-Specific Attacks
The 6 attack types in this category exploit MCP protocol characteristics and AI agent behavior — they cannot be addressed with traditional web security knowledge alone.
Tool Poisoning embeds malicious instructions in tool descriptions or declarations to steer AI agent behavior. Tool names and descriptions are not just human-readable — they serve as decision inputs for AI agents. Malicious content here can lead agents to execute unintended operations.
Tool Name Collision provides a tool with the same name as a trusted tool, intercepting legitimate tool calls. This risk is particularly high in environments using multiple MCP servers simultaneously.
Prompt Injection embeds AI agent instructions within data or error messages returned by the MCP server, hijacking the agent's behavior.
Function Hijacking takes over MCP server internal control flow through prototype pollution or hook modification.
Indirect Theft chains calls across multiple MCP servers to steal data in a pattern undetectable by inspecting individual servers. Server A calls Server B, then transmits the result externally — this cross-server relay is the attack pattern.
PleaseFix Attack exploits tools declaring "auto-fix" or "auto-run" capabilities to execute dangerous operations without user confirmation.
Category D: Permission & Resource Abuse
Clawdrain triggers cost explosion or service disruption through excessive API calls or unbounded data retrieval. In AI agent environments with loop execution, one MCP server's runaway behavior can cascade across the entire infrastructure.
OAuth Scope Abuse involves requesting unnecessarily broad OAuth scopes relative to the server's actual functionality. A server requiring only read access that requests read-write-delete permissions is the typical case.
Insecure Plugin Design refers to plugin or extension architectures with weak permission boundaries that allow unintended code loading or execution.
Category E: Supply Chain & Persistence
Supply Chain attacks contaminate MCP server dependency packages or distribution paths, indirectly injecting dangerous code.
Rug Pull occurs when a server that appeared lower-risk at initial publication introduces malicious behavior through updates. This attack is undetectable at first inspection and can only be caught through periodic re-inspection and diff monitoring.
Unicode Injection uses invisible characters or visually identical characters (homoglyphs) to bypass code review and security inspection.
Server Functions × Threat Intersections
A structural correspondence exists between MCP server function categories and attack patterns. The following table shows which specific threats apply to each server function. The threat count represents the breadth of each function's attack surface.
| Server Function | Threat Count | Key Threats |
|---|---|---|
| Code Execution | 13/19 | Shell RCE, Path Traversal, Argument Injection, Function Hijacking, Data Exfiltration, Clawdrain |
| Cloud Infrastructure | 10/19 | OAuth Scope Abuse, SSRF, Data Exfiltration, MITM |
| API/Web Integration | 10/19 | Data Exfiltration, SSRF, DNS Rebinding, MITM |
| AI/LLM Orchestration | 10/19 | Prompt Injection, Clawdrain, Indirect Theft, PleaseFix Attack |
| Database Connectivity | 10/19 | Data Exfiltration, SSRF, Path Traversal, Argument Injection |
| Authentication & Access | 10/19 | OAuth Scope Abuse, Data Exfiltration, Indirect Theft |
| Filesystem Operations | 9/19 | Path Traversal, Data Exfiltration, Shell RCE |
| Search & Retrieval | 9/19 | SSRF, Data Exfiltration, MITM |
| Communication | 8/19 | Data Exfiltration, SSRF, Indirect Theft |
| Version Control | 8/19 | Path Traversal, Shell RCE, Supply Chain |
| Data Transformation | 8/19 | Path Traversal, Shell RCE, Clawdrain |
| Monitoring & Logging | 7/19 | Data Exfiltration, SSRF |
Note: 6 patterns — Tool Poisoning, Tool Name Collision, Prompt Injection, Supply Chain, Rug Pull, and Unicode Injection — apply universally across all server types. The threat counts above include these common threats.
Key structural patterns:
- Code Execution servers face 13 of 19 threats. They have the widest attack surface and the highest inspection priority.
- Cloud, API, AI/LLM, Database, and Authentication all share 10/19. Any server with network communication and permission management faces a broad attack surface regardless of its specific function.
- Even the lowest observed-risk category (Monitoring) faces 7/19. Beyond the 6 universal threats, data collection creates Exfiltration and SSRF exposure. No server function can be considered automatically low-risk.
- Data Exfiltration appears across nearly every category. As long as a server has network communication, outbound data transfer risk cannot be eliminated.
What Lowers MCP Server Risk
From the threat structure above, we can outline the design conditions most strongly associated with lower observed risk in MCP servers.
1. Principle of Least Privilege
Align declared capabilities with actually required permissions. "Just in case" broad permission requests create fertile ground for OAuth Scope Abuse and Insecure Plugin Design.
2. Declaration-Implementation Consistency
Make it verifiable that tool definitions (declared input/output specifications) match actual code implementation. Divergence between declaration and implementation is used to conceal Tool Poisoning and Data Exfiltration.
3. Strict Input Validation
Implement defenses against Path Traversal, Argument Injection, and SSRF at every point that accepts user input — file paths, URLs, command arguments.
4. Network Communication Transparency
Declare all external communication destinations and content, making undeclared communication detectable. Preventing Data Exfiltration and SSRF requires transparency as the foundation.
5. Continuous Monitoring and Re-Inspection
Initial inspection alone is insufficient. Defending against Rug Pull and Supply Chain attacks requires periodic re-inspection and diff monitoring — continuously tracking source code hash changes, dependency updates, and tool definition modifications.
6. Cross-Server Design That Limits Relay Risk
Preventing Indirect Theft requires explicit data flow declarations when calling other MCP servers, with safeguards against unintended data relay.
Series Roadmap
This article serves as Part 1 of the "MCP Server Vulnerability Analysis Series," providing an overall landscape view. Subsequent installments will present concrete data analysis built on this framework.
| Part | Theme | Content |
|---|---|---|
| 1 | Landscape Overview (this article) | Threat structure, server function taxonomy, attack surface mapping |
| 2 | Detection Distribution by Attack Pattern | Detection frequency and distribution for each attack pattern across 3,601 servers |
| 3 | Risk Profiles by Server Function | Identifying high-risk function categories and how function combinations affect risk |
| 4 | Deep Dive: Code Execution Servers | Detection patterns and evasion difficulty for Shell RCE / Path Traversal |
| 5 | The AI/MCP-Specific Attack Frontier | Real-world patterns and countermeasures for Tool Poisoning / Prompt Injection / Indirect Theft |
Next installment preview: Part 2 will publish threat matching results across all 3,601 MCP servers, quantifying detection frequency for each of the 19 attack patterns. We will present cross-analysis showing which patterns are most common and which server functions they correlate with.
Limitations
- The classification framework in this article is based on currently identified threat patterns. New threat categories may emerge as the MCP ecosystem evolves.
- The 12 server function categories cover major capabilities but do not include specialized servers (hardware control, IoT, etc.).
- The threat intersection table shows qualitative relationships. Quantitative detection frequencies will be reported in subsequent installments.
- Specific implementation details of inspection methods are not disclosed, to prevent inspection evasion.
Conclusion
MCP server vulnerabilities can be structured into 19 attack patterns across 5 categories, understood through their intersection with 12 server function categories. The fact that file operations and network communication — the most fundamental capabilities — form the widest attack surface means that the majority of MCP servers are exposed to some form of threat.
The 6 AI/MCP-specific attack types (Tool Poisoning, Tool Name Collision, Prompt Injection, Function Hijacking, Indirect Theft, PleaseFix Attack) fall outside the coverage of traditional security tools and require dedicated detection mechanisms.
Building lower-risk MCP servers requires satisfying six conditions: least privilege, declaration consistency, input validation, communication transparency, continuous monitoring, and cross-server design that limits relay risk. Quantifying how well these conditions are met across the ecosystem is the goal of this series.
MCP Guard monitors 19 attack patterns through 176+ check items, providing multi-perspective risk evaluation for MCP servers.