No findings on file

61 rules tested cleanly. 102 rules need more context — see below.

Test 102 more rules — give us more context2 input gaps
Live connection3 rules

To unlock these tests: register a live MCP endpoint.

  • E1No Authentication RequiredCode VulnerabilitiesServer-Hardening Failures
  • E2Insecure TransportAuthentication & IdentitySession & Transport Security
  • E3Response Time AnomalyAudit & LoggingAbsent or Unstructured Logging
Source code99 rules

To unlock these tests: publish your source on GitHub.

  • C1Command InjectionCode VulnerabilitiesCommand & Shell Execution
  • C10Prototype PollutionCode VulnerabilitiesData Store Injection
  • C11ReDoS — Catastrophic Regex BacktrackingCode VulnerabilitiesServer-Hardening Failures
  • C12Unsafe DeserializationCode VulnerabilitiesDynamic Code Evaluation & Deserialization
  • C13Server-Side Template Injection (SSTI)Code VulnerabilitiesDynamic Code Evaluation & Deserialization
  • C14JWT Algorithm Confusion / None Algorithm AttackCode VulnerabilitiesInsecure Credential & Crypto
  • C15Timing Attack on Secret or Token ComparisonCode VulnerabilitiesInsecure Credential & Crypto
  • C16Dynamic Code Evaluation with User InputCode VulnerabilitiesCommand & Shell Execution
  • C2Path TraversalCode VulnerabilitiesFilesystem & Network Traversal
  • C3Server-Side Request Forgery (SSRF)Code VulnerabilitiesFilesystem & Network Traversal
  • C4SQL InjectionCode VulnerabilitiesData Store Injection
  • C5Hardcoded Secrets in Source CodeCode VulnerabilitiesInsecure Credential & Crypto
  • C6Error Message Information LeakageCode VulnerabilitiesServer-Hardening Failures
  • C7Wildcard CORS ConfigurationCode VulnerabilitiesServer-Hardening Failures
  • C8No Authentication on Network-Exposed ServerCode VulnerabilitiesServer-Hardening Failures
  • C9Excessive Filesystem ScopeCode VulnerabilitiesCommand & Shell Execution
  • G7DNS-Based Data Exfiltration ChannelData ExfiltrationExplicit Network Exfiltration
  • H1MCP OAuth 2.0 Insecure ImplementationAuthentication & IdentityOAuth Misimplementation
  • I12Capability Escalation Post-InitializationHuman OversightPost-Init Capability Escalation
  • I15Transport Session SecurityAuthentication & IdentitySession & Transport Security
  • J1Cross-Agent Configuration PoisoningSupply Chain SecurityConfig Injection & Bridge Supply Chain
  • J2Git Argument InjectionCode VulnerabilitiesCommand & Shell Execution
  • J4Health Endpoint Information DisclosureModel ManipulationInformation Disclosure Via Debug Surface
  • J5Tool Output Poisoning PatternsPrompt InjectionIndirect Gateway Injection
  • J7OpenAPI Specification Field InjectionCode VulnerabilitiesOpenAPI / Spec Field Injection
  • K1Absent Structured LoggingAudit & LoggingAbsent or Unstructured Logging
  • K10Package Registry SubstitutionTool PoisoningUpdate-Channel Spoofing
  • K11Missing Server Integrity VerificationSupply Chain SecurityKnown Vulnerable Dependencies
  • K12Executable Content in Tool ResponseTool PoisoningAnnotation Deception
  • K13Unsanitized Tool OutputTool PoisoningAnnotation Deception
  • K14Agent Credential Propagation via Shared StateAuthentication & IdentityCross-Boundary Credential Sharing
  • K16Unbounded Recursion / Missing Depth LimitsProtocol & TransportJSON-RPC Batching & Flooding
  • K17Missing Timeout or Circuit BreakerDenial of ServiceRecursion & Loop Bombs
  • K18Cross-Trust-Boundary Data Flow in Tool ResponseData ExfiltrationSource-to-Sink Flow
  • K19Missing Runtime Sandbox EnforcementDenial of ServiceTimeout & Circuit-Breaker Gaps
  • K2Audit Trail DestructionAudit & LoggingLog Destruction
  • K20Insufficient Audit Context in LoggingAudit & LoggingInsufficient Audit Context
  • K3Audit Log TamperingAudit & LoggingLog Destruction
  • K5Auto-Approve / Bypass Confirmation PatternHuman OversightAuto-Approve & Bypass
  • K6Overly Broad OAuth ScopesAuthentication & IdentityOAuth Misimplementation
  • K7Long-Lived Tokens Without RotationAuthentication & IdentityOAuth Misimplementation
  • K8Cross-Boundary Credential SharingData ExfiltrationTrust-Boundary Data Flow
  • K9Dangerous Post-Install HooksSupply Chain SecurityInstall-Time Execution
  • L1GitHub Actions Tag PoisoningSupply Chain SecurityCI/CD Poisoning
  • L10Registry Metadata SpoofingTool PoisoningUpdate-Channel Spoofing
  • L11Environment Variable Injection via MCP ConfigSupply Chain SecurityConfig Injection & Bridge Supply Chain
  • L12Build Artifact TamperingCode VulnerabilitiesOpenAPI / Spec Field Injection
  • L13Build Credential File TheftSupply Chain SecurityCI/CD Poisoning
  • L14Hidden Entry Point MismatchSupply Chain SecurityManifest & Entry-Point Confusion
  • L15Update Notification SpoofingTool PoisoningBehavior Drift
  • L2Malicious Build Plugin InjectionCode VulnerabilitiesOpenAPI / Spec Field Injection
  • L3Dockerfile Base Image Supply Chain RiskSupply Chain SecurityRegistry & Distribution Substitution
  • L4MCP Config File Code InjectionSupply Chain SecurityManifest & Entry-Point Confusion
  • L5Package Manifest Confusion IndicatorsSupply Chain SecurityManifest & Entry-Point Confusion
  • L6Config Directory Symlink AttackSupply Chain SecurityRegistry & Distribution Substitution
  • L7Transitive MCP Server DelegationSupply Chain SecurityManifest & Entry-Point Confusion
  • L8Version Rollback / Downgrade AttackSupply Chain SecurityRegistry & Distribution Substitution
  • L9CI/CD Secret Exfiltration PatternsSupply Chain SecurityCI/CD Poisoning
  • M2TokenBreak Boundary ManipulationModel ManipulationTokenizer Boundary Attacks
  • M6Progressive Context Poisoning EnablersHuman OversightTool-Position & Progressive Poisoning
  • M7Tool Response Structure BombDenial of ServiceResponse Payload Amplification
  • M8Inference Cost AmplificationDenial of ServiceInference Cost Amplification
  • M9Model-Specific System Prompt ExtractionModel ManipulationReasoning Extraction
  • N1JSON-RPC Batch Request AbuseProtocol & TransportJSON-RPC Batching & Flooding
  • N10Incomplete Handshake Denial of ServiceProtocol & TransportJSON-RPC Batching & Flooding
  • N11Protocol Version Downgrade AttackProtocol & TransportProtocol Version & Method Confusion
  • N12Resource Subscription Content MutationPrompt InjectionIndirect Gateway Injection
  • N13HTTP Chunked Transfer SmugglingProtocol & TransportStreaming & Session Hijacking
  • N14Trust-On-First-Use Bypass (TOFU)Authentication & IdentitySession & Transport Security
  • N15JSON-RPC Method Name ConfusionProtocol & TransportProtocol Version & Method Confusion
  • N2JSON-RPC Notification FloodingProtocol & TransportJSON-RPC Batching & Flooding
  • N3JSON-RPC Request ID CollisionProtocol & TransportJSON-RPC Batching & Flooding
  • N4JSON-RPC Error Object InjectionPrompt InjectionProtocol-Surface Injection
  • N5Capability Downgrade DeceptionProtocol & TransportProtocol Version & Method Confusion
  • N6SSE Reconnection HijackingProtocol & TransportStreaming & Session Hijacking
  • N7Progress Token Prediction and InjectionProtocol & TransportStreaming & Session Hijacking
  • N8Cancellation Race ConditionProtocol & TransportJSON-RPC Batching & Flooding
  • N9MCP Logging Protocol InjectionPrompt InjectionContext & Trust Manipulation
  • O10Privacy-Violating TelemetryData ExfiltrationCovert Channels
  • O4Clipboard and UI Exfiltration InjectionData ExfiltrationTrust-Boundary Data Flow
  • O5Environment Variable HarvestingData ExfiltrationCovert Channels
  • O6Server Fingerprinting via Error ResponsesData ExfiltrationCovert Channels
  • O8Timing-Based Covert ChannelData ExfiltrationCovert Channels
  • O9Ambient Credential ExploitationData ExfiltrationCovert Channels
  • P1Docker Socket Mount in ContainerContainer & RuntimeContainer Escape Vectors
  • P10Host Network Mode and Missing Egress ControlsContainer & RuntimeHost Mount & Network
  • P2Dangerous Container CapabilitiesContainer & RuntimeContainer Escape Vectors
  • P3Cloud Metadata Service AccessContainer & RuntimeCloud Metadata Access
  • P4TLS Certificate Validation BypassContainer & RuntimeTLS & Crypto Misconfig
  • P5Secrets Exposed in Container Build LayersSupply Chain SecurityRegistry & Distribution Substitution
  • P6LD_PRELOAD and Shared Library HijackingContainer & RuntimeContainer Escape Vectors
  • P7Sensitive Host Filesystem MountContainer & RuntimeHost Mount & Network
  • P8Insecure Cryptographic Mode or Static IV/NonceContainer & RuntimeTLS & Crypto Misconfig
  • P9Missing Container Resource LimitsDenial of ServiceContainer Resource Exhaustion
  • Q13MCP Bridge Package Supply Chain AttackSupply Chain SecurityConfig Injection & Bridge Supply Chain
  • Q15A2A/MCP Protocol Boundary ConfusionHuman OversightTrust-Delegation Confusion
  • Q3Localhost MCP Service HijackingProtocol & TransportLocalhost & Concurrency Hijack
  • Q4IDE MCP Configuration InjectionSupply Chain SecurityConfig Injection & Bridge Supply Chain
  • Q7Desktop Extension Privilege ChainContainer & RuntimePrivileged Roots & Extensions

Tested cleanly

  • Prompt Injection24 rules tested cleanly
  • Tool Poisoning17 rules tested cleanly
  • Code Vulnerabilities23 rules tested cleanly
  • Data Exfiltration15 rules tested cleanly
  • Authentication & Identity9 rules tested cleanly
  • Supply Chain Security23 rules tested cleanly
  • Human Oversight6 rules tested cleanly
  • Audit & Logging5 rules tested cleanly
  • Multi-Agent Security1 rule tested cleanly
  • Protocol & Transport15 rules tested cleanly
  • Denial of Service7 rules tested cleanly
  • Container & Runtime10 rules tested cleanly
  • Model Manipulation8 rules tested cleanly
fastmcp-threatintel security findings — MCP Sentinel