Skip to content(if available)orjump to list(if available)

MCP Security Vulnerabilities and Attack Vectors

MCP Security Vulnerabilities and Attack Vectors

17 comments

·July 19, 2025
Visit

joshwarwick15

Same root causes again - check out https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

ethan_smith

The "lethal trifecta" refers to default configurations, excessive permissions, and inadequate authentication - three factors that plague MCP implementations just as they did with earlier technologies.

OldfieldFund

This can be easily used to search for seeds/private keys when AI coding agents are in YOLO mode.

spiritplumber

MCP clearly needs an independent monitoring program to safeguard it. Let's call it Tron.

Arindam1729

Truly, S in MCP stands for Security!

dotancohen

The S in SFTP?

The S in SSH?

The S in HTTPS?

The S in MCP?

All stand for the same thing!

I remember when this joke was first applied to IoT.

iotku

I do love the joke, but it is worth remembering as well that all of those S were to a certain extent afterthoughts to fix otherwise insecure protocols.

Given how old FTP and HTTP are it's fairly understandable that they weren't initially designed with security in mind, but I think it's valid to question why we're still designing insecure systems in 2025.

amitksingh1490

Totally agree, If we have made a mistakes in past we must have learnt from it and when designing a standard specially with AI where the outcome is non deterministic we got be more careful.

amitksingh1490

MCP new spec has to an extent covered auth. But the MCPs are yet to adopt to that.

simonw

Auth doesn't protect against confused deputy attacks, which is a common problem exposed by MCP and other LLM tool systems. https://en.m.wikipedia.org/wiki/Confused_deputy_problem

bitweis

100% - especially when Auth stands for just Authentication. Simple RBAC authorization also won't take us far. But Fine-grained Permissions(e.g. OPA, Cedar, OpenFGA, Permit.io) with ReBAC giving ai-agents Zero standing permissions, and only deriving on the fly the least privilege they need / got consent for, can dramatically reduce the problem

rvz

We have not learned anything from the hundreds of open MongoDB databases without passwords floating around the internet waiting to be breached.

We now have the same with MCP servers in the AI era as documented in [0].

[0] https://news.ycombinator.com/item?id=44604453

bigyabai

This post is an obvious victim of upvote manipulation. HN should ban the forgecode domain if it's going to abuse submissions like this.

dayjah

Can you provide some context for your position? I’m not particularly familiar with ForgeCode. I’m interested in why you think there’s manipulation, and what you mean by “submissions like these”.

null

[deleted]

ukanwat

[dead]

aviralb20

MCP adoption is picking up fast.