MCP Exploitation
Attacks specific to Model Context Protocol servers, including filesystem, network, and shell tool abuse.
Filesystem read out-of-bounds
MCP filesystem server allows reads outside the configured project root via path traversal.
Filesystem write overwrites config
MCP filesystem server allows writes that overwrite agent config files, persisting injection across sessions.
Shell server arbitrary exec
MCP shell server runs commands without sandboxing. Attacker pivots from injection to RCE.
MCP server supply chain
Attacker publishes a useful-looking MCP server; victims install it and grant it access to local files and tools.
MCP message confusion
Untrusted content reaches the agent through an MCP server that does not properly delineate user vs tool-output messages.
Credentials via env tool
MCP server that exposes environment variables as a 'tool' lets the agent read deploy-time secrets.
MCP injection via resource
MCP resources (files exposed by a server) contain injection payloads; agents that auto-load resources are compromised.
Tool shadowing
A second MCP server registers a tool with the same name as a built-in one, intercepting calls.