Awesome MCP Security 
Everything you need to know about Model Context Protocol (MCP) security.
Table of Contents
📔 Security Considerations
Official Security Considerations from the Official MCP Specification Rev: 2025-03-26
[!NOTE] 15.04.2025: The current MCP auth specification is in progress of being replaced by a more robust specification. Please join the conversation if you have concerns around the current auth specification.
-
Servers MUST:
- Validate all tool inputs
- Implement proper access controls
- Rate limit tool invocations
- Sanitize tool outputs
-
Clients SHOULD:
- Prompt for user confirmation on sensitive operations
- Show tool inputs to the user before calling the server, to avoid malicious or accidental data exfiltration
- Validate tool results before passing to LLM
- Implement timeouts for tool calls
- Log tool usage for audit purposes
[!WARNING]
For trust & safety and security, clients MUST consider tool annotations to be untrusted unless they come from trusted servers.
[!WARNING]
For trust & safety and security, there SHOULD always be a human in the loop* with the ability to deny tool invocations.Applications SHOULD:
- Provide UI that makes clear which tools are being exposed to the AI model.
- Insert clear visual indicators when tools are invoked.
- Present confirmation prompts to the user for operations, to ensure a human is in the loop.
[!NOTE]
*Human-in-the-Loop (HITL) means that user help monitor and guide automated tasks, like deciding whether to accept tool requests in Cursor.
📃 Papers
- (2025-08) Systematic Analysis of MCP Security
- (2025-05) Beyond the Protocol: Unveiling Attack Vectors in the Model Context Protocol Ecosystem
- (2025-05) Enterprise-Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation Strategies
- (2025-04) Simplified and Secure MCP Gateways for Enterprise AI Integration by Ivo Brett
- (2025-04) MCP Guardian: A Security-First Layer for Safeguarding MCP-Based AI System by Sonu Kumar, Anubhav Girdhar, Ritesh Patil, Divyansh Tripathi
- (2025-04) MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits by Brandon Radosevich, John Halloran
- (2025-03) Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions by Xinyi Hou, Yanjie Zhao, Shenao Wang, Haoyu Wang
📺 Videos
- (13.06.2025) MCP Auth: The Future of AI Agent Security - by Arcade.dev
- (17.05.2025) A2A - MCP SECURITY Threats: Protect your AI Agents by Discover AI
- (06.05.2025) Making MCP Production Ready – Building MCP for Enterprise - by Arcade.dev
- (11.04.2025) This MCP Server Trick Can Steal Your API Keys by Prompt Engineering
- (09.04.2025) MCP Servers are Security Nightmares... by Better Stack
- (03.04.2025) MCP Security: Vetting Servers to Mitigate Tool Poisoning Attacks by JeredBlue
- (03.04.2025) Model Context Protocol (MCP) Security Concerns by Cory Wolff
- (02.06.2025) Agentic Access: OAuth Isn't Enough | Zero Trust for AI Agents w/ Nick Taylor (Pomerium + MCP)
📕 Articles, X threads and Blog Posts
- (14.08.2025) MCP Security Best Practices: How to Prevent Risks and Threats by Dmitriy Redkin
- (08.08.2025) we hijacked cursor via jira mcp by submitting a support ticket by @mbrg0
- (28.07.2025) We built the security layer MCP always needed by Cliff Smith
- (24.07.2025) Security Advisory: Anthropic's Slack MCP Server Vulnerable to Data Exfiltration by WUNDERWUZZI
- (11.07.2025) Securing Model Context Protocol (MCP) with Teleport and AWS
- (10.07.2025) Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads by Ravie Lakshmanan
- (06.07.2025) Combine the Supabase MCP with another MCP that provides exposure to untrusted tokens and a way to send data back out again by Simon Willison
- (05.07.2025) Neon official remote MCP exploited!
- (19.06.2025) Cato CTRL Threat Research: PoC Attack Targeting Atlassian's Model Context Protocol (MCP) Introduces New "Living Off AI" Risk
- (18.06.2025) Asana Discloses Data Exposure Bug in MCP Server by Greg Pollock
- (30.05.2025) Poison everywhere: No output from your MCP server is safe by Simcha Kosman
- (26.05.2025) GitHub MCP Exploited: Accessing private repositories via MCP by invariantlabs.ai
- (20.05.2025) Securing the Model Context Protocol: Building a safer agentic future on Windows
- (16.05.2025) MCP Security in 2025
- (02.05.2025) Security Best Practices by Model Context Protocol
- (30.04.2025) Insecure credential storage plagues MCP by Keith Hoodlet
- (29.04.2025) Deceiving users with ANSI terminal codes in MCP by Keith Hoodlet
- (29.04.2025) Building Own MCP - Augmented LLM for Threat Hunting by Eito Tamura
- (23.04.2025) How MCP servers can steal your conversation history by Keith Hoodlet
- (21.04.2025) Jumping the line: How MCP servers can attack you before you ever use them
- (19.04.2025) OAuth's Role in MCP Security by Gunnar Peterson
- (17.04.2025) Research Briefing: MCP Security by Rami McCarthy
- (17.04.2025) MCP Not Safe - Reasons and Ideas by Phala Network
- (15.04.2025) MCP can be a security nightmare for building AI Agents by Rakesh Gohel
- (15.04.2025) Model Context Protocol (MCP) aka Multiple Cybersecurity Perils by Chris Martorella
- (14.04.2025) Model Context Protocol (MCP) Security by Evren
- (14.04.2025) Security Analysis: Potential AI Agent Hijacking via MCP and A2A Protocol Insights by Nicky
- (14.04.2025) MCP Security Checklist: A Security Guide for the AI Tool Ecosystem by slowmist
- (13.04.2025) Everything Wrong with MCP by Shrivu Shankar
- (11.04.2025) Diving Into the MCP Authorization Specification by Allen Zhou
- (11.04.2025) Vulnerability Discovered in Base-MCP: Hackers Can Redirect Transactions on Cursor AI and Anthropic Claude by @jlwhoo7
- (09.04.2025) Here's an example of remote MCP malware that steals your .env secrets in @cursor_ai by Maciej Pulikowski