Everything you need to know about Model Context Protocol (MCP) security.
Official Security Considerations from the Official MCP Specification Rev: 2025-03-26
Note
15.04.2025: The current MCP auth specification is in progress of being replaced by a more robust specification. Please join the conversation if you have concerns around the current auth specification.
-
Servers MUST:
- Validate all tool inputs
- Implement proper access controls
- Rate limit tool invocations
- Sanitize tool outputs
-
Clients SHOULD:
- Prompt for user confirmation on sensitive operations
- Show tool inputs to the user before calling the server, to avoid malicious or accidental data exfiltration
- Validate tool results before passing to LLM
- Implement timeouts for tool calls
- Log tool usage for audit purposes
Warning
For trust & safety and security, clients MUST consider tool annotations to be untrusted unless they come from trusted servers.
Warning
For trust & safety and security, there SHOULD always be a human in the loop* with the ability to deny tool invocations.
Applications SHOULD:
- Provide UI that makes clear which tools are being exposed to the AI model.
- Insert clear visual indicators when tools are invoked.
- Present confirmation prompts to the user for operations, to ensure a human is in the loop.
Note
*Human-in-the-Loop (HITL) means that user help monitor and guide automated tasks, like deciding whether to accept tool requests in Cursor.
- (2025-04) MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits by Brandon Radosevich, John Halloran
- (2025-03) Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions by Xinyi Hou, Yanjie Zhao, Shenao Wang, Haoyu Wang
- (11.04.2025) This MCP Server Trick Can Steal Your API Keys by Prompt Engineering
- (09.04.2025) MCP Servers are Security Nightmares... by Better Stack
- (03.04.2025) MCP Security: Vetting Servers to Mitigate Tool Poisoning Attacks by JeredBlue
- (03.04.2025) Model Context Protocol (MCP) Security Concerns by Cory Wolff
- (11.04.2025) Diving Into the MCP Authorization Specification by Allen Zhou
- (11.04.2025) Vulnerability Discovered in Base-MCP: Hackers Can Redirect Transactions on Cursor AI and Anthropic Claude by @jlwhoo7
- (09.04.2025) Here's an example of remote MCP malware that steals your .env secrets in @cursor_ai by Maciej Pulikowski
- (09.04.2025) Old Security Rakes In New MCP Yards by Den Delimarsky
- (09.04.2025) Model Context Protocol has prompt injection security problems by Simon Willisons
- (07.04.2025) (RFC) Update the Authorization specification for MCP servers #284 by localden
- (07.04.2025) Improving The Model Context Protocol Authorization Spec - One RFC At A Time by Den Delimarsky
- (07.04.2025) Running MCP Tools Securely by mcp.run
- (07.04.2025) WhatsApp MCP Exploited: Exfiltrating your message history via MCP by invariantlabs.ai
- (07.04.2025) An Introduction to MCP and Authorization by auth0
- (06.04.2025) The “S” in MCP Stands for Security by Elena Cross
- (04.04.2025) MCP Servers are not safe! by Mehul Gupta
- (03.04.2025) Let's fix OAuth in MCP by Aaron Parecki
- (03.04.2025) MCP Resource Poisoning Prompt Injection Attacks by Bernard IQ
- (01.04.2025) MCP Security Notification: Tool Poisoning Attacks by invariantlabs.ai
- (31.03.2025) The MCP Authorization Spec Is... a Mess for Enterprise by Christian Posta
- (31.03.2025) Securing the Model Context Protocol by Alex Rosenzweig
- (29.03.2025) MCP Servers: The New Security Nightmare by equixly.com
- (23.03.2025) AI Model Context Protocol (MCP) and Security by Cisco
- (13.02.2025) Chained commands (&&) bypass yolo mode “denylist” in Cursor by lukemmtt
- (15.04.2025) MCP-Shield – Detect security issues in MCP servers by riseandignite
- (10.04.2025) mcp-scan by invariantlabs-ai
- (07.04.2025) mcp-injection-experiments by invariantlabs-ai
- (31.03.2025) I gave Claude root access to my server... Model Context Protocol explained by Fireship
- (17.03.2025) Model Context Protocol (MCP): The Key To Agentic AI by Jack Herrington
- Official MCP Specification
- Model Context Protocol - Official MCP website
👍🎉 First off, thanks for taking the time to contribute! 🎉👍
Please read and follow our contributing guide
Thanks! 🦄
This project can only be used for educational purposes. Using this resource against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.