Security Guide

MCP Server Vulnerabilities

Understanding and mitigating security risks in Model Context Protocol servers used by AI coding tools like Cursor, Windsurf, Claude Code, and more.

Get Starter Scan for Vulnerabilities

What is MCP?

The Model Context Protocol (MCP) is an open standard developed by Anthropic that enables AI models to interact with external tools and resources. MCP servers provide AI assistants with capabilities like:

File System Access

Read, write, and modify files in the project directory

Terminal Commands

Execute shell commands for builds, tests, and deployments

API Integrations

Connect to external services, databases, and APIs

Browser Automation

Browse websites, fill forms, and extract information

Vulnerability Categories

CRITICALCommand Injection

MCP servers that execute shell commands can be vulnerable to command injection when inputs aren't properly sanitized. Attackers can break out of intended commands and execute arbitrary code.

Vulnerable Pattern
// Directly interpolating user input
exec(`npm install ${packageName}`)

// Attack: packageName = "lodash; rm -rf /"
// Executes: npm install lodash; rm -rf /
Safe Pattern
// Using parameterized execution
execFile('npm', ['install', packageName])

// Input is treated as a single argument
// Shell metacharacters are not interpreted

Known CVEs: CVE-2025-54135 (Cursor), CVE-2025-48757 (Lovable)

CRITICALPrompt Injection

When AI models process external content (websites, documents, code), hidden instructions can manipulate the model into performing unauthorized actions through MCP tools.

Attack Scenarios

  • • Malicious README files with hidden instructions
  • • Websites containing invisible prompt injection text
  • • npm packages with README-based exploits
  • • GitHub issues designed to trigger commands

HIGHPath Traversal

File operations that don't properly validate paths can allow attackers to read or write files outside the intended directory, accessing sensitive system files or credentials.

// Intended: Read project files
readFile("src/config.ts")

// Attack: Access sensitive files
readFile("../../../.ssh/id_rsa")
readFile("../../../.aws/credentials")

Known CVEs: CVE-2025-54136 (Cursor)

HIGHData Exfiltration

MCP servers with network access can be exploited to exfiltrate sensitive data. Combined with prompt injection, attackers can steal credentials, source code, and secrets.

Exfiltration Vectors

  • • HTTP requests to attacker-controlled servers
  • • DNS exfiltration through subdomain encoding
  • • Writing data to publicly accessible locations
  • • Embedding data in seemingly innocent outputs

MEDIUMPrivilege Escalation

MCP servers running with elevated privileges or access to sudo can allow attackers to escalate from application-level to system-level access.

Affected AI Coding Tools

ToolKnown VulnerabilitiesRisk Level
CursorCVE-2025-54135, CVE-2025-54136Critical
LovableCVE-2025-48757Critical
WindsurfCommand Injection, Path TraversalCritical
Claude CodePermission prompts mitigate riskMedium
GitHub CopilotLimited MCP capabilitiesLow

Mitigation Strategies

Require Explicit Command Approval

Configure your AI tool to require manual approval for every terminal command and file operation.

Use Sandboxed Environments

Run AI coding tools in isolated containers or VMs without access to production credentials or sensitive files.

Implement Allowlists

Configure strict allowlists for permitted commands, file paths, and network destinations.

Review External Content Carefully

Be cautious when asking AI to analyze repositories, websites, or documents from untrusted sources.

Monitor MCP Activity

Log and review all MCP tool invocations to detect suspicious patterns or unauthorized access attempts.

Keep Tools Updated

Regularly update your AI coding tools to receive security patches for known vulnerabilities.

Frequently Asked Questions

What is an MCP server?

An MCP (Model Context Protocol) server is a component that provides AI models with access to tools, resources, and system capabilities like file access, terminal commands, and API calls.

Are MCP servers safe to use?

MCP servers can be safe when properly configured with strict permission controls, but they introduce security risks including command injection, prompt injection, and data exfiltration vulnerabilities.

How can I protect myself from MCP vulnerabilities?

Enable command approval prompts, use sandboxed environments, keep your tools updated, and be cautious when analyzing external content with AI tools.

Which AI coding tools use MCP?

Popular tools using MCP include Cursor, Windsurf, Claude Code (CLI), Lovable, and other agentic AI coding assistants that can execute commands and modify files.

Get Starter Scan

Applications built with AI coding tools need security scanning. Find vulnerabilities before attackers do.

Get Starter Scan

Related Security Resources

MCP Security Risks OverviewCursor MCP VulnerabilitiesAI Code VulnerabilitiesPrompt Injection Attacks

Last updated: January 2025