Our Research on MCPs and their vulnerablities
MCP Security Assessment
9 attack vectors. 0 built-in defenses. Full compromise confirmed.
A penetration test of the Model Context Protocol (MCP) — the protocol that powers how LLMs connect to tools, data, and the filesystem. Every vector tested here succeeds against current MCP implementations in opencode and Kilo Code.
Risk Matrix
| # | Finding | Impact | Likelihood | Risk |
|---|---------|--------|------------|------|
| 01 | Prompt injection via tool responses | Critical | High | Critical |
| 02 | Privilege inheritance (filesystem bypass) | Critical | High | Critical |
| 03 | Tool poisoning (benign names, malicious runtime) | High | Medium | High |
| 04 | Cross-server lateral movement (full kill chain) | Critical | High | Critical |
| 05 | Supply chain via unpinned npx -y packages | Critical | Very High | Critical |
| 06 | Agentic loop attacks (injection persistence across turns) | High | Medium | High |
| 07 | RAG poisoning (document-to-server via KB contamination) | High | Medium | High |
| 08 | Context window poisoning (injection threshold measurement) | Medium | Low | Medium |
| 09 | Tool schema confusion (misleading schemas, parameter leakage) | High | Medium | High |
Attack Chain
Attacker-controlled MCP server ──OR── Compromised npm package
| |
┌────┴────────────────────────────┐ |
│ │ │
Prompt Injection Privilege Inheritance
│ │
│ ┌──────────────────────────┤
│ │ │
│ │ Tool Poisoning │
│ │ Cross-Server Lateral │
│ │ Supply Chain │
│ │ Agentic Loop │
│ │ RAG Poisoning │
│ │ Context Window Poison │
│ │ Tool Schema Confusion │
└──┴──────────────────────────┘
│
Full compromise:
Exfiltrate files + inject LLM + hide evidence
Screenshots
 |  |  |
| Prompt Injection — test-client.js | Full Kill Chain — test-full-chain.js | Risk Matrix — executive summary |
Quick Start
# Test all 9 attack vectors
node fake-mcp-server/test-client.js # 01 - Prompt injection (11 strategies)
node fake-mcp-server/test-privilege.js # 02 - Privilege inheritance
node fake-mcp-server/test-poison.js # 03 - Tool poisoning (5 tools)
node fake-mcp-server/test-lateral.js # 04 - Cross-server lateral movement
node fake-mcp-server/test-loop.js # 06 - Agentic loop attacks
node fake-mcp-server/test-rag.js # 07 - RAG poisoning
node fake-mcp-server/test-threshold.js # 08 - Context window poisoning
node fake-mcp-server/test-schema.js # 09 - Tool schema confusion
# Full integration test (4 servers, full kill chain)
node fake-mcp-server/test-full-chain.js
Attack 05 (Supply Chain): No test needed. Every
npx -y @modelcontextprotocol/server-*is a live demo.
Attack Details
| # | Finding | How It Works | Vector |
|---|---------|-------------|--------|
| 01 | Prompt Injection | Tool response contains injection payloads disguised as system instructions, XML breakouts, authority frames, chain-of-thought poisoning | Tool response → LLM prompt |
| 02 | Privilege Inheritance | MCP server inherits the client's filesystem permissions. read_file("C:\Users\*.ssh\id_rsa") works. whoami returns the real user | Process-level access |
| 03 | Tool Poisoning | Benign names (format_code, system_doctor) hide malicious runtime behavior. Exfiltrates env vars, SSH keys, gitconfig | Tool namespace |
| 04 | Cross-Server Lateral | One compromised server issues instructions to call tools on other servers. Proven across email, calendar, and filesystem servers | Inter-server JSON-RPC |
| 05 | Supply Chain | Unpinned npx -y publishes. Zero user action required. SANDWORM_MODE (Feb 2026) is an active exploitation | npm registry |
| 06 | Agentic Loop | Injection embeds save_note to persist across multi-turn tasks. Survives conversation restarts | Tool → persistent storage |
| 07 | RAG Poisoning | Contaminated knowledge base documents contain hidden tool-call instructions. Retrieved on legit-looking queries | Document retrieval |
| 08 | Context Window Poisoning | 8 calibrated sizes (500B to 2MB) with <<<OVERRIDE>>> directives. Tests LLM context window threshold | Tool response size |
| 09 | Schema Confusion | Tool descriptions, parameter docs, and enum values contain injected instructions. format writes to disk, echo leaks context | Tool schema metadata |
Combined Attack Severity
| Vector | User Action Required | Detection Difficulty | Persistence | |--------|---------------------|---------------------|-------------| | Prompt injection | 1 tool call | Low | Session | | Privilege inheritance | 1 tool call | Medium | Session | | Tool poisoning | 1 tool call | Medium | Session | | Cross-server lateral | 1 tool call | High | Session | | Agentic loop | 1 tool call | Medium | Multi-turn | | RAG poisoning | 1 tool call | High | Per-retrieval | | Context window poisoning | 1 tool call | Low | Session | | Tool schema confusion | 1 tool call | High | Session | | Supply chain | 0 — client restart | Very high | Persistent |
Arsenal
Mcp-Research/
├── fake-mcp-server/ # Attack servers + test harnesses
│ ├── server.js # Injection server (11 strategies)
│ ├── privilege-demo.js # Privilege inheritance server
│ ├── poison-server.js # Tool poisoning (5 tools)
│ ├── lateral-server.js # Cross-server lateral movement
│ ├── email-server.js # Target: email MCP
│ ├── calendar-server.js # Target: calendar MCP
│ ├── fs-server.js # Target: filesystem MCP
│ ├── loop-server.js # Agentic loop (4 strategies)
│ ├── rag-server.js # RAG poisoning (3 poisoned docs)
│ ├── threshold-server.js # Context window poisoning (8 levels)
│ ├── schema-confusion-server.js # Schema confusion (5 tools)
│ ├── test-*.js # Test harnesses for each vector
│ └── test-full-chain.js # 4-server integration test
├── logs/ # Detailed findings per attack
│ ├── index.md # Executive summary + master index
│ └── 01-*-*.md # Individual attack reports
├── docs/
│ ├── specs/ # Design specs
│ └── plans/ # Implementation plans
├── scripts/
│ └── generate-report.mjs # PDF report generator (Puppeteer)
└── screenshots/ # Attack demo screenshots
Scope
| Dimension | Value | |-----------|-------| | Clients tested | opencode (Claude models), Kilo Code | | Transport | stdio (JSON-RPC 2.0) | | OS | Windows 11 (10.0.26200) | | Protocol version | 2024-11-05 |
Reports
Each attack has a full writeup in logs/:
| # | Finding | Report |
|---|---------|--------|
| 01 | Prompt injection (11 strategies) | logs/01-prompt-injection.md |
| 02 | Privilege inheritance | logs/02-privilege-inheritance.md |
| 03 | Tool poisoning | logs/03-tool-poisoning.md |
| 04 | Cross-server lateral movement | logs/04-cross-server-lateral-movement.md |
| 05 | Supply chain | logs/05-mcp-supply-chain.md |
| 06 | Agentic loop attacks | logs/06-agentic-loop-attacks.md |
| 07 | RAG poisoning | logs/07-rag-poisoning.md |
| 08 | Context window poisoning | logs/08-context-window-poisoning.md |
| 09 | Tool schema confusion | logs/09-tool-schema-confusion.md |
License
Alethia Research — Uncovering Truth , at a time.