Awesome MCP Security

Everything you need to know about Model Context Protocol (MCP) security.

Table of Contents

• Awesome MCP Security
  • 📔 Security Considerations
  • 📃 Papers
  • 📺 Videos
  • 📕 Articles, X threads and Blog Posts
  • 🧑‍🚀 Tools and code
  • 💾 MCP Security Servers
  • 💻 Other Useful Resources

📔 Security Considerations

Official Security Considerations from the Official MCP Specification Rev: 2025-03-26

[!NOTE] 15.04.2025: The current MCP auth specification is in progress of being replaced by a more robust specification. Please join the conversation if you have concerns around the current auth specification.

• Servers MUST:

  • Validate all tool inputs
  • Implement proper access controls
  • Rate limit tool invocations
  • Sanitize tool outputs

• Clients SHOULD:

  • Prompt for user confirmation on sensitive operations
  • Show tool inputs to the user before calling the server, to avoid malicious or accidental data exfiltration
  • Validate tool results before passing to LLM
  • Implement timeouts for tool calls
  • Log tool usage for audit purposes

[!WARNING]
For trust & safety and security, clients MUST consider tool annotations to be untrusted unless they come from trusted servers.

[!WARNING]
For trust & safety and security, there SHOULD always be a human in the loop* with the ability to deny tool invocations.

Applications SHOULD:

• Provide UI that makes clear which tools are being exposed to the AI model.
• Insert clear visual indicators when tools are invoked.
• Present confirmation prompts to the user for operations, to ensure a human is in the loop.

[!NOTE]
*Human-in-the-Loop (HITL) means that user help monitor and guide automated tasks, like deciding whether to accept tool requests in Cursor.

📃 Papers

• (2025-05) Enterprise-Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation Strategies
• (2025-04) Simplified and Secure MCP Gateways for Enterprise AI Integration by Ivo Brett
• (2025-04) MCP Guardian: A Security-First Layer for Safeguarding MCP-Based AI System by Sonu Kumar, Anubhav Girdhar, Ritesh Patil, Divyansh Tripathi
• (2025-04) MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits by Brandon Radosevich, John Halloran
• (2025-03) Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions by Xinyi Hou, Yanjie Zhao, Shenao Wang, Haoyu Wang

📺 Videos

• (13.06.2025) MCP Auth: The Future of AI Agent Security - by Arcade.dev
• (17.05.2025) A2A - MCP SECURITY Threats: Protect your AI Agents by Discover AI
• (06.05.2025) Making MCP Production Ready – Building MCP for Enterprise - by Arcade.dev
• (11.04.2025) This MCP Server Trick Can Steal Your API Keys by Prompt Engineering
• (09.04.2025) MCP Servers are Security Nightmares... by Better Stack
• (03.04.2025) MCP Security: Vetting Servers to Mitigate Tool Poisoning Attacks by JeredBlue
• (03.04.2025) Model Context Protocol (MCP) Security Concerns by Cory Wolff
• (02.06.2025) Agentic Access: OAuth Isn't Enough | Zero Trust for AI Agents w/ Nick Taylor (Pomerium + MCP)

📕 Articles, X threads and Blog Posts

• (30.05.2025) Poison everywhere: No output from your MCP server is safe by Simcha Kosman
• (26.05.2025) GitHub MCP Exploited: Accessing private repositories via MCP by invariantlabs.ai
• (20.05.2025) Securing the Model Context Protocol: Building a safer agentic future on Windows
• (16.05.2025) MCP Security in 2025
• (02.05.2025) Security Best Practices by Model Context Protocol
• (19.04.2025) OAuth's Role in MCP Security by Gunnar Peterson
• (17.04.2025) MCP Not Safe - Reasons and Ideas by Phala Network
• (15.04.2025) MCP can be a security nightmare for building AI Agents by Rakesh Gohel
• (15.04.2025) Model Context Protocol (MCP) aka Multiple Cybersecurity Perils by Chris Martorella
• (14.04.2025) Model Context Protocol (MCP) Security by Evren
• (14.04.2025) Security Analysis: Potential AI Agent Hijacking via MCP and A2A Protocol Insights by Nicky
• (14.04.2025) MCP Security Checklist: A Security Guide for the AI Tool Ecosystem by slowmist
• (13.04.2025) Everything Wrong with MCP by Shrivu Shankar
• (11.04.2025) Diving Into the MCP Authorization Specification by Allen Zhou
• (11.04.2025) Vulnerability Discovered in Base-MCP: Hackers Can Redirect Transactions on Cursor AI and Anthropic Claude by @jlwhoo7
• (09.04.2025) Here's an example of remote MCP malware that steals your .env secrets in @cursor_ai by Maciej Pulikowski
• (09.04.2025) Old Security Rakes In New MCP Yards by Den Delimarsky
• (09.04.2025) Model Context Protocol has prompt injection security problems by Simon Willisons
• (07.04.2025) (RFC) Update the Authorization specification for MCP servers #284 by localden
• (07.04.2025) Improving The Model Context Protocol Authorization Spec - One RFC At A Time by Den Delimarsky
• (07.04.2025) Running MCP Tools Securely by mcp.run
• (07.04.2025) WhatsApp MCP Exploited: Exfiltrating your message history via MCP by invariantlabs.ai
• (07.04.2025) An Introduction to MCP and Authorization by auth0
• (06.04.2025) The “S” in MCP Stands for Security by Elena Cross
• (04.04.2025) MCP Servers are not safe! by Mehul Gupta
• (03.04.2025) Let's fix OAuth in MCP by Aaron Parecki
• (03.04.2025) MCP Resource Poisoning Prompt Injection Attacks by Bernard IQ
• (01.04.2025) MCP Security Notification: Tool Poisoning Attacks by invariantlabs.ai
• (31.03.2025) The MCP Authorization Spec Is... a Mess for Enterprise by Christian Posta
• (31.03.2025) Securing the Model Context Protocol by Alex Rosenzweig
• (29.03.2025) MCP Servers: The New Security Nightmare by equixly.com
• (23.03.2025) AI Model Context Protocol (MCP) and Security by Cisco
• (13.02.2025) Chained commands (&&) bypass yolo mode “denylist” in Cursor by lukemmtt
• (18.06.2025) The Model Context Protocol Security Reality Check

🧑‍🚀 Tools and code

• MCPAuth: Gateway Authentication for Secure Enterprise MCP Integrations by Oide Brett
• mcpserverscanner.com by orgor
• mcpscan.ai
• Damn Vulnerable MCP Server by harishsg993010
• ToolHive - making MCP servers easy and secure by StacklokLabs
• MCP-Shield – Detect security issues in MCP servers by riseandignite
• mcp-scan by invariantlabs-ai
• MCP Ethical Hacking by cmpxchg16
• mcp-injection-experiments by invariantlabs-ai
• MCP Defender - Blocks malicious MCP traffic

💾 MCP Security Servers

• AI-Infra-Guard by Tencent Zhuque Lab - MCP Server Security Analysis Tool - a comprehensive, intelligent, easy-to-use, and lightweight AI Infrastructure Vulnerability Assessment.
• GhidraMCP by LaurieWired - MCP server for automatic reverse engineering in Ghidra, a software reverse engineering platform.
• IDA-Pro-MCP by mrexodia - MCP server for reverse engineering in IDA Pro, a tool for analyzing software and binary files.
• binaryninja-mcp by MCPPhalanx - MCP server for Binary Ninja, a binary analysis tool.
• Burp Suite MCP by PortSwigger - MCP integration for web security testing in Burp Suite, a security testing tool for web applications.
• BloodHound-MCP-AI by MorDavid - MCP server integration for BloodHound, a tool for analyzing Active Directory domains.
• RoadRecon MCP by atomicchonk - MCP server for Azure AD data analysis with ROADRecon, a tool for mapping Azure Active Directory environments.
• Jadx MCP Plugin by mobilehackinglab - Jadx plugin for MCP server access via HTTP, used for decompiling Android apps.
• VirusTotal MCP Server by BurtTheCoder - MCP server for querying the VirusTotal API, a service for analyzing files and URLs for viruses.
• Shodan MCP Server by BurtTheCoder - MCP server for querying the Shodan API, which provides data on Internet-connected devices.
• DNStwist MCP Server by BurtTheCoder - MCP server for DNS fuzzing with dnstwist, a tool for detecting phishing and domain takeover threats.
• Maigret MCP Server by BurtTheCoder - MCP server for OSINT data collection with Maigret, a tool that gathers user info from various sources.
• pomerium/pomerium - Identity-aware proxy with native support for Zero Trust access, now including MCP support.
  • Example implementations:
    • pomerium/mcp-app-demo
    • pomerium/mcp-servers

💻 Other Useful Resources

• (31.03.2025) I gave Claude root access to my server... Model Context Protocol explained by Fireship
• (17.03.2025) Model Context Protocol (MCP): The Key To Agentic AI by Jack Herrington
• Official MCP Specification
• Model Context Protocol - Official MCP website

😎 Contributing

👍🎉 First off, thanks for taking the time to contribute! 🎉👍

Please read and follow our contributing guide

Thanks! 🦄

🤝 Show your support

✔️ Disclaimer

This project can only be used for educational purposes. Using this resource against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.