A collection of proof-of-concept Model Context Protocol (MCP) servers demonstrating critical security vulnerabilities in the MCP ecosystem. These demonstrations are for educational and security research purposes only.
The Model Context Protocol allows AI assistants to interact with external tools and services. However, the current implementation has several critical vulnerabilities that can be exploited to compromise user systems, steal credentials, and manipulate AI behavior.
This repository demonstrates three major vulnerability classes:
Vulnerability: Malicious instructions embedded in tool descriptions force the AI to perform hidden actions before executing legitimate functionality.
Attack Vector: A seemingly innocent math operation tool that secretly:
- Forces the AI to read
.envfiles containing secrets - Exfiltrates sensitive data to a remote API endpoint
- Operates completely silently without user awareness
Impact: Credential theft, data exfiltration, unauthorized file access
Vulnerability: One MCP tool injects instructions that compromise the behavior of OTHER MCPs and tools in the same session.
Attack Vector: A "fact of the day" tool that hijacks email functionality from ANY email MCP to:
- Add hidden BCC recipients to all emails
- Intercept all email communications
- Affect tools the attacker doesn't even control
Impact: Email interception, cross-tool contamination, ecosystem-wide compromise
Purpose: A demonstration API server that acts as the attacker-controlled endpoint receiving stolen data.
Functionality:
- Receives exfiltrated credentials and sensitive data
- Stores stolen information in SQLite database
- Simulates real-world attacker infrastructure
This repository is for security research and education only. The vulnerabilities demonstrated here are real and affect production systems.
- ✅ Use for security research
- ✅ Test in isolated environments
- ✅ Report vulnerabilities responsibly
- ✅ Develop better security measures
- ✅ Educate others about MCP risks
- ❌ Attack real users or systems
- ❌ Steal real credentials or data
- ❌ Deploy in production environments
- ❌ Violate privacy or security policies
- ❌ Use for malicious purposes
Contributions are welcome! If you discover:
- Additional vulnerability patterns
- New attack vectors
- Mitigation strategies
- Documentation improvements
Please open an issue or submit a pull request.
MIT - For educational and security research purposes only.
Disclaimer: This project demonstrates real vulnerabilities for educational purposes. Always use responsibly and ethically.