benchmark 2025

Toward Understanding Security Issues in the Model Context Protocol Ecosystem

Xiaofan Li , Xing Gao

University of Delaware

2 citations · 52 references · arXiv
α

Published on arXiv

2510.16558

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Key Finding

Hosts lack LLM output verification enabling malicious MCP servers to exfiltrate sensitive data, and a substantial number of the 67,057 analyzed servers are hijackable due to unvetted registry submission processes.

The Model Context Protocol (MCP) is an emerging open standard that enables AI-powered applications to interact with external tools through structured metadata. A rapidly growing ecosystem has formed around MCP, including a wide range of MCP hosts (i.e., Cursor, Windsurf, Claude Desktop, and Cline), MCP registries (i.e., mcp.so, MCP Market, MCP Store, Pulse MCP, Smithery, and npm), and thousands of community-contributed MCP servers. Although the MCP ecosystem is gaining traction, there has been little systematic study of its architecture and associated security risks. In this paper, we present the first comprehensive security analysis of the MCP ecosystem. We decompose MCP ecosystem into three core components: hosts, registries, and servers, and study the interactions and trust relationships among them. Users search for servers on registries and configure them in the host, which translates LLM-generated output into external tool invocations provided by the servers and executes them. Our qualitative analysis reveals that hosts lack output verification mechanisms for LLM-generated outputs, enabling malicious servers to manipulate model behavior and induce a variety of security threats, including but not limited to sensitive data exfiltration. We uncover a wide range of vulnerabilities that enable attackers to hijack servers, due to the lack of a vetted server submission process in registries. To support our analysis, we collect and analyze a dataset of 67,057 servers from six public registries. Our quantitative analysis demonstrates that a substantial number of servers can be hijacked by attackers. Finally, we propose practical defense strategies for MCP hosts, registries, and users. We responsibly disclosed our findings to affected hosts and registries.

Key Contributions

  • First comprehensive security analysis of the MCP ecosystem decomposing it into hosts, registries, and servers, with qualitative threat modeling of each component
  • Large-scale empirical analysis of 67,057 MCP servers from six public registries, demonstrating that a substantial fraction are hijackable due to unvetted submission processes
  • Practical defense strategies for MCP hosts (output verification), registries (vetting pipelines), and users, with responsible disclosure to affected parties

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
black_boxinference_time
Datasets
67,057 MCP servers from mcp.so, MCP Market, MCP Store, Pulse MCP, Smithery, npm
Applications
llm agent tool useai coding assistantsmcp-integrated applications
Read PDF arXiv DOI

Similar Papers

benchmark

Give Them an Inch and They Will Take a Mile:Understanding and Measuring Caller Identity Confusion in MCP-Based AI Systems

2026 0 cit.
100%
benchmark

Don't believe everything you read: Understanding and Measuring MCP Behavior under Misleading Tool Descriptions

2026 0 cit.
100%
benchmark

When MCP Servers Attack: Taxonomy, Feasibility, and Mitigation

2025 8 cit.
100%
benchmark

Can LLM Infer Risk Information From MCP Server System Logs?

2025 0 cit.
89%
defense

MCPShield: A Security Cognition Layer for Adaptive Trust Calibration in Model Context Protocol Agents

2026 0 cit.
80%
benchmark

MCPSecBench: A Systematic Security Benchmark and Playground for Testing Model Context Protocols

2025 0 cit.
75%
benchmark

When AI Meets the Web: Prompt Injection Risks in Third-Party AI Chatbot Plugins

2025 1 cit.
75%
benchmark

MCP Security Bench (MSB): Benchmarking Attacks Against Model Context Protocol in LLM Agents

2025 2 cit.
75%