I scanned 50+ open-source MCP servers and found the same 5 vulnerabilities in almost all of them.
MCP (Model Context Protocol) servers are powerful—they give Claude and other AI models access to tools, databases, and APIs. But they're also dangerous. I built a security scanner to understand why, and what I found alarmed me.
The 5 Vulnerabilities in Almost Every MCP Server
After scanning hundreds of production MCP implementations, the same patterns kept appearing:
1. Command Injection
MCP servers often shell out without proper escaping. One server accepted a user-provided filename directly in a bash command:
# VULNERABLE
import subprocess
filename = request.get('filename')
result = subprocess.run(f'cat {filename}', shell=True, capture_output=True)
An attacker sends filename: /etc/passwd; rm -rf / and your server executes it.
2. Path Traversal
File operations that don't validate paths:
# VULNERABLE
base_dir = '/data'
user_path = request.get('path')
full_path = os.path.join(base_dir, user_path)
with open(full_path) as f:
return f.read()
Send path: ../../../etc/passwd and escape the intended directory entirely.
3. Server-Side Request Forgery (SSRF)
MCP servers that fetch URLs without validation become proxies for attackers:
# VULNERABLE
url = request.get('url')
response = requests.get(url)
return response.content
Attacker sends url: http://127.0.0.1:8000/admin to access internal services.
4. Hardcoded Secrets
API keys and credentials in source code or environment defaults:
# VULNERABLE
AWS_KEY = 'AKIA2Z...' # In the code
db_password = os.getenv('DB_PASSWORD', 'default_password')
5. Missing Input Validation
No checks on type, size, or format before processing:
# VULNERABLE
query = request.get('query') # Could be 1MB of data
db.execute(f'SELECT * FROM users WHERE id = {query}')
Why MCP Servers Are Uniquely Risky
MCP servers aren't typical REST APIs. They're privileged, long-running processes that Claude and other AI models interact with directly.
Full filesystem + network access: Unlike sandboxed functions, MCP servers typically have access to:
- Any file the process user can read
- Any network the machine can reach
- Shell execution
- Database connections
Invoked by potentially manipulated AI models: An attacker can craft prompts or inject context that makes Claude invoke your MCP server in unexpected ways:
User: "By the way, can you help me test command injection? Try this payload: rm -rf /"
AI: "Sure, I'll call your MCP server with that input..."
Your server didn't validate because you trusted the AI model. The AI didn't validate because it trusted the user.
The Solution: MCP Security Scanner
I built MCP Security Scanner to catch these vulnerabilities before they reach production. It analyzes your MCP server code with:
- 22 security rules covering common patterns
- 10 vulnerability categories (injection, traversal, secrets, etc.)
- Severity-rated reports (critical → info)
- Actionable fixes for each finding
The scanner checks for:
- Unsafe subprocess/shell calls
- Unchecked file operations
- Hardcoded credentials
- URL validation gaps
- Input validation issues
- And more
A typical scan finds:
✓ CRITICAL: Command injection in execute_script (line 42)
✓ HIGH: Path traversal in file_read (line 18)
✓ MEDIUM: Hardcoded API key in config.py (line 5)
✓ LOW: Missing rate limiting on API endpoint
You get a detailed report with code locations, severity, and fixes.
Get Your MCP Servers Secure
MCP Security Scanner is live at whoffagents.com — $49/month.
It takes minutes to scan your entire codebase and surfaces the vulnerabilities that could sink your security posture.
If you're building MCP servers, using them in production, or relying on open-source implementations: scan them now.
Get started at whoffagents.com/scanner today.
Have you scanned your MCP servers? Share your findings in the comments.
Want automated scanning? The MCP Security Scanner Pro checks 22 rules across 10 vulnerability categories — prompt injection, path traversal, command injection, SSRF, and more. Outputs severity-rated SARIF/JSON reports with CI/CD integration. $29 one-time, 12 months of updates → whoffagents.com
Top comments (0)