DEV Community: Truong Bui The latest articles on DEV Community by Truong Bui (@truong_bui_eaec3f963bbe21). https://dev.to/truong_bui_eaec3f963bbe21 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3917737%2F0c4a230b-f05f-4417-8fdc-02764eb5c871.jpg DEV Community: Truong Bui https://dev.to/truong_bui_eaec3f963bbe21 en What I found scanning 2,600 public MCP servers Truong Bui Thu, 07 May 2026 10:49:06 +0000 https://dev.to/truong_bui_eaec3f963bbe21/what-i-found-scanning-2600-public-mcp-servers-3gen https://dev.to/truong_bui_eaec3f963bbe21/what-i-found-scanning-2600-public-mcp-servers-3gen <p>Hey everyone, I built a security scanner for MCP servers (<a href="https://mcpsafe.io" rel="noopener noreferrer">mcpsafe.io</a>) and ran it across the public catalog I'd indexed from npm, PyPI, and GitHub — about 5,000 active servers, 2,634 of which produced at least one finding. The results were rougher than I expected.</p> <p><strong>What's broken, by % of servers affected:</strong></p> <ul> <li> <strong>51%</strong> — unpinned GitHub Actions (<code>uses: actions/checkout@v4</code> instead of a SHA). Tag rewrites are silent.</li> <li> <strong>45%</strong> — HTTP / socket / subprocess calls without a timeout. Hang-forever territory.</li> <li> <strong>41%</strong> — overbroad MCP tool input schemas (<code>z.string()</code>, bare <code>str</code>, <code>{"type":"string"}</code> on fields named <code>command</code>, <code>query</code>, <code>url</code>). The exact shape that lets prompt injection through.</li> <li> <strong>37%</strong> — <code>except: pass</code> swallowing errors with no logging.</li> <li> <strong>28%</strong> — Dockerfiles with no <code>USER</code> directive, so the container runs as root.</li> <li> <strong>22%</strong> — npm/pip install-time hooks (<code>postinstall</code>, custom <code>cmdclass</code>). Code execution before you ever import anything.</li> <li> <strong>19%</strong> — server binds to <code>0.0.0.0</code>. DNS rebinding is real.</li> <li> <strong>11%</strong> — pinned to dependency versions with known CVEs in the OSV database.</li> </ul> <p>A small set of severe findings keeps showing up too: 97 servers had runtime-secret-exfil patterns (env vars or KMS plaintext returned in tool responses); 88 had user input concatenated into the <code>system</code> role of an inner LLM call without sanitization. Those are the bugs that make the news.</p> <p><strong>Why this is more than the usual SAST stuff:</strong></p> <p>MCP servers are different because <em>every tool description, return value, and file the server reads ends up inside an LLM's context</em>. An overbroad schema isn't just sloppy — it's a prompt-injection surface. A silenced exception isn't just bad logging — it's where a malicious tool quietly succeeds.</p> <p><strong>What MCPSafe.io does:</strong> 43 rules right now, all MCP-specific, mapped to CWE. Free public scanning at <a href="https://mcpsafe.io" rel="noopener noreferrer">mcpsafe.io</a>, no signup. Paste a GitHub repo, npm package, or PyPI package, get a result. Deep scans run a 5-judge LLM consensus (Bedrock, OpenAI, Mistral, Vertex) to filter low-confidence findings.</p> <p>If you maintain an MCP server, the free path will catch most of the issues above. If you find a false positive, every finding has a "report" link that goes to my inbox.</p> <p>Curious to hear which patterns I'm missing. Thank you!</p> ai security mcp programming