30 CVEs in MCP packages in 60 days. 437K compromised downloads. a CVSS 9.6 RCE in a package with 500K downloads.
this is the first monthly MCP security report. all data is real.
by the numbers
| metric | value |
|---|---|
| packages audited | 194 |
| packages with findings | 118 (60.8%) |
| critical findings | 5 |
| high findings | 9 |
| medium findings | 63 |
| low findings | 41 |
| CVEs disclosed (60 days) | 30 |
| compromised downloads | 437,000 |
top 5 vulnerability patterns
1. shell injection (critical)
// vulnerable
exec(`git log --oneline -${userInput}`)
// secure
execFileSync('git', ['log', '--oneline', `-${validated}`])
MCP servers calling child_process.exec() with user input. one crafted prompt = rm -rf /.
2. environment variable leakage (high)
secrets loaded from env vars accidentally appearing in LLM context windows through error messages. this one is subtle — your API key ends up in a stack trace that gets sent to the model.
3. path traversal (critical)
# vulnerable
with open(os.path.join(base_dir, user_path)) as f:
# secure
real = os.path.realpath(os.path.join(base_dir, user_path))
if not real.startswith(os.path.realpath(base_dir)):
raise SecurityError("path traversal blocked")
4. dependency chain risks (medium)
packages pulling in dozens of transitive dependencies, some unmaintained. the package itself is fine, but its supply chain introduces risk.
5. missing input validation (low)
parameters accepted without type checking, length limits, or format validation.
emerging solutions
| tool | approach | status |
|---|---|---|
| Constitution Gate | dual-LLM runtime quarantine | deployed (CF Worker) |
| Wombat | unix-style rwxd permissions | new entrant |
| MCP Gateway | OAuth 2.1 + RBAC middleware | emerging |
| protect-mcp | per-tool signed receipts | emerging |
| AgentAudit | CVE-like registry for agent packages | 194 audited |
recommendations
if you build MCP servers:
- never pass user input to
exec()— useexecFileSyncwith argument arrays - validate all inputs with JSON schema before processing
- use
os.path.realpath()+ directory allowlists for file operations - keep dependencies minimal — our servers average 3 direct deps each
- never include env vars in error messages or LLM context
if you deploy MCP servers:
- audit before you install — check AgentAudit or run your own scan
- pin dependencies with lockfiles
- run MCP servers with least-privilege permissions
- consider a security proxy (Constitution Gate, MCP Gateway, or Wombat)
this report will be published monthly. data sources: AgentAudit (194 packages), HN CVE tracking, and our own experience hardening 15 production MCP servers with 20 OWASP Agentic AI rules.
want the full 20-rule security checklist? → MCP Security Audit Checklist on Gumroad ($29)
runtime protection for your MCP servers? → Constitution Gate
built by yedan yagami | ko-fi | github
Top comments (0)