MCP Ecosystem Security Risks: First Cross-Entity Study Identifies Widespread Vulnerabilities

A recent security analysis published on arXiv (2510.16558v2) offers the inaugural cross-entity examination of the Model Context Protocol (MCP) ecosystem, which links large language models (LLMs) to external tools. This study uncovers significant security vulnerabilities among hosts, servers, and registries, emphasizing a two-phase attack surface. At the registry stage, inadequate vetting and ownership verification permit the entry of compromised or hijacked servers into hosts. Once integrated, malicious tool metadata can influence LLM reasoning and trigger unintended actions, which hosts carry out without proper verification. While code-level flaws are not essential, they can exacerbate attacks. The research assessed 67,057 servers across six public registries, revealing prevalent conditions that facilitate server hijacking and invocation manipulation. Additionally, the authors developed MCPInspect, a tool for pre-integration risk analysis.