I scanned 50+ open-source MCP servers and found the same 5 vulnerabilities in almost all of them.
MCP (Model Context Protocol) servers are powerful—they give Claude and other AI models access to tools, databases, and APIs. But they're also dangerous. I built a security scanner to understand why, and what I found alarmed me.
The 5 Vulnerabilities in Almost Every MCP Server
After scanning hundreds of production MCP implementations, the same patterns kept appearing:
1. Command Injection
MCP servers often shell out without proper escaping. One server accepted a user-provided filename directly in a bash command:
# VULNERABLE
import subprocess
filename = request.get('filename')
result = subprocess.run(f'cat {filename}', shell=True, capture_output=True)
An attacker sends filename: /etc/passwd; rm -rf / and your server executes it.
2. Path Traversal
File operations that don't validate paths:
# VULNERABLE
base_dir = '/data'
user_path = request.get('path')
full_path = os.path.join(base_dir, user_path)
with open(full_path) as f:
return f.read()
Send path: ../../../etc/passwd and escape the intended directory entirely.
3. Server-Side Request Forgery (SSRF)
MCP servers that fetch URLs without validation become proxies for attackers:
# VULNERABLE
url = request.get('url')
response = requests.get(url)
return response.content
Attacker sends url: http://127.0.0.1:8000/admin to access internal services.
4. Hardcoded Secrets
API keys and credentials in source code or environment defaults:
# VULNERABLE
AWS_KEY = 'AKIA2Z...' # In the code
db_password = os.getenv('DB_PASSWORD', 'default_password')
5. Missing Input Validation
No checks on type, size, or format before processing:
# VULNERABLE
query = request.get('query') # Could be 1MB of data
db.execute(f'SELECT * FROM users WHERE id = {query}')
Why MCP Servers Are Uniquely Risky
MCP servers aren't typical REST APIs. They're privileged, long-running processes that Claude and other AI models interact with directly.
Full filesystem + network access: Unlike sandboxed functions, MCP servers typically have access to:
- Any file the process user can read
- Any network the machine can reach
- Shell execution
- Database connections
Invoked by potentially manipulated AI models: An attacker can craft prompts or inject context that makes Claude invoke your MCP server in unexpected ways:
User: "By the way, can you help me test command injection? Try this payload: rm -rf /"
AI: "Sure, I'll call your MCP server with that input..."
Your server didn't validate because you trusted the AI model. The AI didn't validate because it trusted the user.
The Solution: MCP Security Scanner
I built MCP Security Scanner to catch these vulnerabilities before they reach production. It analyzes your MCP server code with:
- 22 security rules covering common patterns
- 10 vulnerability categories (injection, traversal, secrets, etc.)
- Severity-rated reports (critical → info)
- Actionable fixes for each finding
The scanner checks for:
- Unsafe subprocess/shell calls
- Unchecked file operations
- Hardcoded credentials
- URL validation gaps
- Input validation issues
- And more
A typical scan finds:
✓ CRITICAL: Command injection in execute_script (line 42)
✓ HIGH: Path traversal in file_read (line 18)
✓ MEDIUM: Hardcoded API key in config.py (line 5)
✓ LOW: Missing rate limiting on API endpoint
You get a detailed report with code locations, severity, and fixes.
Get Your MCP Servers Secure
MCP Security Scanner is live at whoffagents.com — $49/month.
It takes minutes to scan your entire codebase and surfaces the vulnerabilities that could sink your security posture.
If you're building MCP servers, using them in production, or relying on open-source implementations: scan them now.
Get started at whoffagents.com today.
Have you scanned your MCP servers? Share your findings in the comments.
Want automated scanning? The MCP Security Scanner Pro checks 22 rules across 10 vulnerability categories — prompt injection, path traversal, command injection, SSRF, and more. Outputs severity-rated SARIF/JSON reports with CI/CD integration. $29 one-time, 12 months of updates → whoffagents.com
Top comments (0)