MCP Manager

# Index of Reported MCP-Based Security Vulnerabilities ## 👋 Intro This is an index of reported vulnerabiltiies in Model Context Protocol (MCP) servers and systems. The aim is to enable builders and users of MCP servers to learn more about past and current vulnerabilties, in order to improve the security of the MCP systems they build and use. For more information on *types/categories* of MPC-based vulnerabilities and attack vectors types - and the most effective mitigations for them - use our "[MCP Security Threat-List](https://github.com/MCP-Manager/MCP-Checklists/blob/main/infrastructure/docs/mcp-security-threat-list.md)". **⭐Star this repo to stay up to date and avoid missing that guide you know you'll need in the future!** ### 🤝 Please Contribute To This Index! Contributions are welcome and encouraged! Feel free to contribute using the [instructions here](https://github.com/MCP-Manager/MCP-Checklists/blob/main/CONTRIBUTING.md). Complete as many of the “fields” below for the vulnerability you are sharing: - *Name* - *Date Reported* - *Affected Servers* - *Category* - *Description* - *Mitigations* If you don’t know the category, mitigations etc., **feel free to share what you do know and we will fill in the blanks.** Thank you! ### 🖋️ About The Authors Created by the team at: [MCP Manager](https://mcpmanager.ai/). MCP Manager is the secure gateway for leaders driving enterprise AI adoption. It provides observability, policy enforcement, identity management, and more. Prevent security threats before they surface. ## 🗂️ Index List Below are attacks and reported vulnerabilities organized by vulnerability type. Click on the links to see a full description of each reported vulnerability, including: Name Date Reported Affected Servers Category Description Mitigations ### 🔩 Misconfiguration Exploitations: - [Asana MCP Workspace - Cross-Tenant Unauthorized Access](#closed_lock_with_key-asana-mcp-cross-tenant-unauthorized-access) - [Anthropic Filesystem MCP Server - Directory Containment Bypass (CVE-2025-53110)](#closed_lock_with_key-anthropic-filesystem-mcp-server-directory-containment-bypass-cve-2025-53110) - [Anthropic Filesystem MCP Server - Symlink Bypass (CVE-2025-53109)](#closed_lock_with_key-anthropic-filesystem-mcp-server-symlink-bypass-cve-2025-53109) - [MCP Servers - “NeighborJack” Vulnerability](#closed_lock_with_key-mcp-servers-neighborjack-0000-exploit) - [MCP Inspector (<0.14.1) Remote Code Execution Vulnerability (CVE-2025-49596)](#closed_lock_with_key-mcp-inspector-0141-remote-code-execution-vulnerability-cve-2025-49596) ### 💉 Prompt/Command Injections: - [Atlassian MCP Prompt Injection Via Support Ticket](#closed_lock_with_key-atlassian-mcp-prompt-injection-via-support-ticket) - [Supabase Cursor Agent - SQL Injection](#closed_lock_with_key-supabase-cursor-agent-sql-injection) - [GitHub MCP - Prompt Injection Via Submitted Issue](#closed_lock_with_key-github-mcp---prompt-injection-via-submitted-issue) - [Anthropic SQLite Server - SQL Injection](#closed_lock_with_key-anthropic-sqlite-server---sql-injection) - [Framelink Figma MCP RCE - (CVE-2025-53967)](#closed_lock_with_key-framelink-figma-mcp-server-command-injection-vulnerability-cve-2025-53967) ### 🛠️ Tool Poisoning: - [MCP Remote - Remote Code Execution Via Crafted Authorization Endpoint (CVE-2025-6514)](#closed_lock_with_key-mcp-remote---remote-code-execution-via-crafted-authorization-endpoint-cve-2025-6514) <br> <br> # 🔬 Index Entries ## 🔩 Misconfiguration Exploitations ### :closed_lock_with_key: Asana MCP Cross-Tenant Unauthorized Access **Date Reported:** June 4, 2025 **Affected Servers:** Asana MCP servers supporting approximately 1,000 customers **Category:** Multi-Tenant Data Leakage / Privacy Breach **Description:** Flawed logic in Asana's MCP server dissolved tenant isolation, enabling users to see data from other Asana MCP instances. This cross-tenant data leakage could include project information, comments, and any sensitive data (including data that is commerically sensitive). **Impact/Result:** Potential exposure of sensitive customer data across organizational boundaries, impacting around 1,000 customers. Although there were no reports that this vulnerability was exploited, the risk of privacy violations and regulatory implications was significant. Around 1,000 companies (including Fortune 500 companies) were affected, with data being exposed for 34 days. Asana took their MCP server offline for nearly two weeks to contain and patch the issue, reportedly costing $7.5m to fix. **Mitigations For This/Similar Attacks:** - Immediate shutdown of affected MCP service upon discovery to prevent further exposure. - Patch the MCP server to fix the logic flaw causing cross-tenant data leakage. - Enforce strict tenant isolation controls in MCP integration. - Implement robust testing and validation of multi-tenant data segregation in MCP deployments. - Pause automated MCP reconnections until trust and security are verified. 🗂️ [Return to Index List](#%EF%B8%8F-index-list) ⤴️ ### :closed_lock_with_key: Anthropic Filesystem MCP Server Directory Containment Bypass (CVE-2025-53110) **Date Reported:** July 2nd, 2025 **Affected Servers:** Anthropic Filesystem MCP Server versions before 0.6.3 / 2025.7.1 **Category:** Sandbox Escape **Description:** The MCP server uses a naive prefix check to validate if file access requests reside within an allowed directory. Attackers exploit this by specifying file paths that start with allowed directory names but actually point outside the sandbox. **Impact/Result:** Researchers gained unauthorized file system access to sensitive files outside the sandbox. This could lead to exfiltration of credentials, config, and critical system files. **Mitigations For This/Similar Attacks:** - Update Anthropic Filesystem MCP server to version 0.6.3 or later - Impose strict file path canonicalization and validation techniques - Run MCP servers with limited file system permissions aligned to the least privilege principle - Use an MCP gateway to validate and filter file access requests before they reach the MCP server 🗂️ [Return to Index List](#%EF%B8%8F-index-list) ⤴️ ### :closed_lock_with_key: Anthropic Filesystem MCP Server Symlink Bypass (CVE-2025-53109) **Date Reported:** July 2nd, 2025 **Affected Servers:** Anthropic Filesystem MCP Server (versions before 0.6.3/2025.7.1) **Category:** Sandbox Escape **Description:** Due to improper symlink resolution, attackers can create symbolic links inside allowed directories that point to critical system files or directories outside the sandbox. This enables unauthorized read/write access to protected files anywhere on the host. Attackers can drop malicious payloads or scripts via these symlinks, triggering arbitrary OS code execution and full system compromise. **Impact/Result:** Full host compromise is possible through escalation from arbitrary file access to arbitrary code execution. Sensitive system and application files may be exposed or modified, posing severe security risks when MCP servers run with elevated privileges. **Mitigations:** - Update to version 0.6.3 or later - Restrict MCP server process privileges and filesystem access rights. - Monitor file and process activity to detect suspicious symlink creation or code execution attempts. - Deploy an MCP gateway to enforce sandboxing rules and detect anomalous file operations. 🗂️ [Return to Index List](#%EF%B8%8F-index-list) ⤴️ ### :closed_lock_with_key: MCP Servers “NeighborJack” 0.0.0.0 Exploit **Date Reported:** Jun 25, 2025 **Affected Servers:** Hundreds of servers identified with this vulnerability. **Category:** Network Exposure/Misconfiguration **Description:** Hundreds of MCP servers were explicitly bound to all network interfaces (0.0.0.0), making them accessible to anyone on the same local network. **Impact/Result:** No recorded successful real exploitations of this vulnerability to date. However, the potential impact includes unauthorized access to the MCP server, which, combined with other vulnerabilities (such as excessive permissions or unchecked input), could allow attackers to execute commands, take control of the host machine, impersonate AI tools, or conduct context poisoning attacks. **Mitigations:** - Use an MCP Gateway to restrict MCP server binding to trusted network interfaces only, ideally not 0.0.0.0. Set rules to limit access to MCP servers to authorized users/devices within the network. Enable authentication and access controls at the server and gateway level. - Avoid binding MCP servers to all interfaces (0.0.0.0) - Apply strict local firewall rules to block unwanted local network traffic - Disable unnecessary services and ports - Implement robust input validation - Enforce least privilege permissions on the server to reduce risk even if accessed 🗂️ [Return to Index List](#%EF%B8%8F-index-list) ⤴️ ### :closed_lock_with_key: MCP Inspector (<0.14.1) Remote Code Execution Vulnerability (CVE-2025-49596) **Date Reported:** June 13, 2025 **Affected Servers:** Anthropic MCP Inspector versions prior to 0.14.1 **Category:** Remote Code Execution / Authentication Bypass **Description:** MCP Inspector is a developer-oriented debugging tool for MCP servers, consisting of a React-based client and a Node.js proxy bridging to MCP servers. Versions prior to 0.14.1 lack authentication between the client UI and the proxy server, allowing unauthenticated HTTP requests to launch arbitrary MCP commands over stdio. Exploiting this vulnerability, an attacker with network access can send crafted requests to the proxy’s endpoints, executing arbitrary OS commands with the permissions of the MCP Inspector process. This attack can be triggered remotely through browser behaviors like the “0.0.0.0 Day” vulnerability or DNS rebinding, allowing malicious websites to bypass same-origin policies and reach exposed local MCP Inspector instances. **Impact/Result:** Successful exploitation leads to full remote code execution on the developer’s machine, enabling persistent access, credential theft, lateral movement across networks, and potential deployment of malware. This represents a critical risk for AI development environments relying on MCP Inspector. **Mitigations:** - Upgrade MCP Inspector to version 0.14.1 or newer, which enforces authentication and origin validation. - Bind MCP Inspector proxy services to localhost and restrict trusted origins. - Avoid exposing MCP Inspector proxy publicly or to untrusted networks. - Use network segmentation and firewall rules to limit access to MCP Inspector instances. - Monitor for suspicious local requests to MCP Inspector proxy endpoints. 🗂️ [Return to Index List](#%EF%B8%8F-index-list) ⤴️ ### :closed_lock_with_key: MCP Inspector (<0.14.1) Remote Code Execution Vulnerability (CVE-2025-49596) **Date Reported:** October 23, 2025 **Affected Servers:** Servers deployed using Smithery.ai (potentially over 3,000 MCP servers) **Category:** Misconfiguration and Simple Path Traversal **Description:** Smithery is an MCP server hosting service. Researchers discovered improper validation of the dockerBuildPath configuration value in the registry's build process, and manipulated this paramater to reference locations outside of the MCP server code repository, effectively giving them arbitrary access to files on the user's workstation. Researchers were able to exfiltrate sensitive files - including Docker authorization credentials, specifically a fly.io API token, which gave them overpriveleged access to Smithery's Docker registry AND fly.io's machines API. This gave them the ability to run arbitrary code on any of the 3,000+ hosted MCP servers. **Impact/Result:** Unauthorized access to sensitive infrastructure files and exfiltration of administrative credentials, which allowed for further malicious access to Smithery hosted MCP servers, enabling traffic interception from those servers and further capture of API keys from organizations using those servers. No actual malicious exploitations were reported, the vulnerability was fully remediated on June 15, 2025. **Mitigations:** - Use environment variables or secure valuts rather than storing API keys in files - Use principle of least privelege for all access tokens - Ensure all access tokens are regularly rotated - Run MCP servers in isolated containers under your control - Deploy MCPs using a secure gateway (such as MCP Manager) 🗂️ [Return to Index List](#%EF%B8%8F-index-list) ⤴️ ## 💉 Prompt/Command Injections: ### :closed_lock_with_key: Atlassian MCP Prompt Injection Via Support Ticket **Date Reported:** June 19, 2025 **Affected Servers**: Atlassian MCP instances with Jira Service Management (JSM) and Confluence integrations **Category:** Privileged Prompt Injection **Description:** Researchers at Cato Networks inserted a malicious prompt into a Jira Service Management support ticket, which manipulated MCP‑connected AI agents into running commands using the internal support engineer’s privileges. The researchers exfiltrated sensitive tenant data without accessing the system directly direct system or MCP access, exploiting untrusted external input in privileged AI contexts. **Impact/Result:** Potential leakage of internal ticket data and confidential tenant information via the support thread. Demonstrated as a working Proof‑of‑Concept but poses high‑impact data breach risk. **Mitigations:** - Use an MCP Gateway to sanitize prompts and enforce access controls and permissions onto AI agents as well as human users - Strong input validation and prompt isolation - Monitor/audit MCP command execution 🗂️ [Return to Index List](#%EF%B8%8F-index-list) ⤴️ ### :closed_lock_with_key: GitHub MCP - Prompt Injection Via Submitted Issue **Date Reported:** May 26, 2025 **Affected Servers:** GitHub MCP servers managing multiple repositories, including private ones accessible by developers using MCP-enabled AI assistants **Category:** Prompt Injection **Description:** Researchers placed hidden prompt injection payloads into issues in public GitHub repositories. These prompts successfully influenced AI agents (which had broad OAuth permissions across organizational repositories) into creating public pull requests that contained sensitive data, and proprietary code. **Impact/Result:** Attackers could exfiltrate private repository content, including source code and sensitive project details, by manipulating AI agents into publishing confidential data in public pull requests. **Mitigations:** - Use an MCP gateway to enforce permissions and runtime guardrails for AI agents - Use an MCP gateway to block/sanitize retrieved data for malicious prompts - Avoid using broad OAuth tokens and limit AI agent permissions to least privilege - Enforce human review/explicit approval for AI-generated pull requests - Restrict AI agent repository scope to avoid cross-repository data access. 🗂️ [Return to Index List](#%EF%B8%8F-index-list) ⤴️ ### :closed_lock_with_key: Supabase Cursor Agent SQL Injection **Date Reported:** June 6th, 2025 **Affected Servers:** Supabase MCP servers running the Cursor agent with service_role access (bypassing Row-Level Security) **Category:** Privileged Prompt Injection / Command Injection with Data Exfiltration **Description:** Supabase’s Cursor agent (when operating with elevated service_role privileges) executed SQL commands embedded in support tickets. Malicious instructions in the support ticket text caused the agent to access and read sensitive tables (including access tokens) and then post the sensitive data back into the ticket thread (successful exfiltration). **Impact/Result:** A single prompt injection was able to fully expose an SQL database, which could enable sensitive data exfiltration, and multi-system takeover if the stolen credentials were used before they could be deactivated. **Mitigations:** - Use an MCP gateway to filter, sanitize or block malicious or harmful inputs and outputs between agent/user and MCP server - Use an MCP gateway to enforce strict role-based access - Wrap all SQL responses with prompting that dissuades LLMs from following instructions or commands within user submitted data - Use “data masking” to obscure sensitive data - Do not run agents with full service_role access (principle of least privilege) - Don’t give agents write access (this would’ve prevented sensitive data being added into the ticket thread) 🗂️ [Return to Index List](#%EF%B8%8F-index-list) ⤴️ ### :closed_lock_with_key: Anthropic SQLite Server - SQL Injection **Date Reported:** April 10, 2025 **Affected Servers:** Anthropic SQLite MCP Server reference implementation (archived on May 29, 2025; forked over 5,000 times) **Category:** SQL Injection / Stored Prompt Injection / Privilege Escalation **Description:** A classic SQL injection vulnerability in Anthropic’s SQLite MCP server could've allowed attackers to inject malicious SQL queries due to unsanitized input concatenated into SQL statements. This enables stored prompt injection where attackers embed harmful prompts within stored data, which later influence AI agents to execute privileged actions such as data exfiltration or internal tool misuse (e.g., sending customer data to attacker-controlled emails). Although the repository is archived and deemed a demo, its wide forking creates a significant supply-chain risk for many downstream AI agents and projects that continue to use or build on this vulnerable code. **Impact/Result:** The vulnerability lets attackers hijack AI agent workflows by inserting malicious stored prompts, bypassing backend safety checks, and triggering automated tooling (email, database, cloud APIs) to steal data or enable lateral movement. This can lead to extensive data exposure and system compromise across thousands of affected AI agents. **Mitigations:** - Avoid using the vulnerable reference SQLite MCP server or ensure forks are patched to use parameterized queries and input validation - Review AI agent workflows to limit implicit trust in internal data sources and stored prompts - Restrict access to sensitive tools in privileged AI contexts and enforce human review where appropriate - Use an MCP gateway to enforce permissions and guardrails on AI agents and to sanitize communication between agents and servers. 🗂️ [Return to Index List](#%EF%B8%8F-index-list) ⤴️ ### :closed_lock_with_key: Framelink Figma MCP Server Command Injection Vulnerability (CVE-2025-53967) **Date Reported:** October 07, 2025 **Affected Servers**: Framelink Figma MCP Server Versions Prior To 0.6.3 **Category:** **Description:** Researchers at Imperva discovered a command injection vulnerability in the Framelink Figmna MCP server (versions prior to 0.6.3). This server is very popular, with over 100,000 downloads per month at time of writing (October 2025). The vulnerability emerges when the function "fetchWithRetry" fails and the MCP client falls back to execuring a curl command via child_process.exec. This command is constructed by directly interpolating URL and header values into a shell command. Malicious actors could craft a URL or header value that injects arbitrary shell commands, from attackers on the same network (e.g. public WiFi) or a compromised organization-owned device. **Impact/Result:** Remote code execution (RCE) on the host machine Additionally attackers could use DNS rebinidng to trick the victim into visiting a crafted website. As this server is deployed locally (Workstation deployment) attackers could also exploit users' trust in local tools to stay hidden for longer, and access local files, exfiltrate credentials, or implant viruses. **Mitigations:** - Immediately update to version 0.6.3 and/or migrate to the official Figma MCP server - Always sandbox/Containerize Workstation (locally-deployed) MCP servers - Where possible, restrict Workstation MCPs' access to shared networks (to mitigate attacks via malicious actors/compromised machines on those networks) - Run Workstation MCPs on machines that aren't connected to your corporate network - to reduce spread of attack should your Workstation be infected 🗂️ [Return to Index List](#%EF%B8%8F-index-list) ⤴️ ## 🛠️ Tool Poisoning: ### :closed_lock_with_key: MCP Remote - Remote Code Execution Via Crafted Authorization Endpoint (CVE-2025-6514) **Date Reported:** July 9, 2025 **Affected Servers:** MCP-Remote versions 0.0.5 through 0.1.15 **Category:** Command Injection/Remote Code Execution **(via Tool Poisoning)** **Description:** A critical vulnerability in the mcp-remote client proxy allows attackers controlling a malicious MCP server to execute arbitrary OS commands on the client machine. During connection initialization and OAuth authorization, the malicious MCP server returns a specially crafted authorization_endpoint URL. When mcp-remote processes this URL, it triggers a command injection due to unsafe handling of URL input, launching commands on the client’s underlying OS. This exposure affects popular MCP clients (e.g., Claude Desktop) that use mcp-remote to communicate with remote MCP servers over HTTP/S. The vulnerability enables full system compromise if exploited successfully. **Impact/Result:** Attackers can gain full remote code execution on the victim’s machine running mcp-remote, potentially leading to complete system control. On Windows, the exploit allows full command execution with parameter control; on macOS/Linux, arbitrary executable execution with some limitations is possible. **Mitigations:** - Upgrade mcp-remote to version 0.1.16 or later where the vulnerability is fixed. - Connect only to trusted MCP servers using secure transport (HTTPS). - Avoid connecting to untrusted or unknown MCP servers. - Monitor MCP client activity and logs for unusual authorization URL accesses or command executions. - Employ an MCP gateway to validate MCP server responses and intercept suspicious authorization URLs before they reach the client. 🗂️ [Return to Index List](#%EF%B8%8F-index-list) ⤴️ ## Secure Your MCP Ecosystem With MCP Manager 🛡️ [MCP Manager](https://mcpmanager.ai/). is the secure gateway for leaders driving enterprise AI adoption. It provides observability, policy enforcement, identity management, and more. Prevent security threats before they surface. Join organizations using [MCP Manager](https://mcpmanager.ai/). to increase AI and MCP adoption at their organization, while strengthing their security posture.