Category

Code Vulnerabilities

MCP03MCP05MCP07ASI02ASI05CoSAI-T3MAESTRO-L3EU-AI-Act-Art-15AML.T0054#

Exploitable flaws in MCP server source code — classical injection, deserialization, dynamic-code-evaluation, and configuration sinks that arbitrary tool input reaches without sanitization.

1medium
Sub-category

Server-Hardening Failures

11 rule1 finding

Defenses that should be on by default and aren't: error leakage in responses, wildcard CORS, network bind without auth, and ReDoS-prone regex on user input.

Rule
E1

No Authentication Required

MediumMCP07-insecure-config

MCP server accepts initialize handshake without any authentication token or API key

Tests3 strategies

How this rule decides. Each strategy below is a deterministic analysis the detector runs against the MCP server's static metadata, source code, and (when present) live connection handshake.

Primary techniquestructural
  1. 1

    Null Connection Skip

    null-connection-skip
  2. 2

    Localhost Does Not Count

    localhost-does-not-count
  3. 3

    Proxy Layer Reviewer Note

    proxy-layer-reviewer-note
Evidence1 finding

What we found. Each finding below carries a structured proof chain from source (where untrusted data enters) through propagation (how it flows) to a sink (where the dangerous operation occurs), including any mitigations checked for and the potential impact if exploited. Every link is independently verifiable against the cited location.

Proof chain

4 steps from untrusted source to potential impact. Each step is independently verifiable against the cited location.

  1. SourceEnvironment
    Where
    capability:tools
    Observed
    Live connection to the MCP server over streamable-http succeeded with no credentials. `initialize` + `tools/list` returned without any WWW-Authenticate challenge.
    Why untrusted
    An MCP server that answers tool enumeration without authentication trusts the network. Under modern threat models (CCS 2007 DNS rebinding, open cloud networking) no network is trustworthy.
  2. SinkPrivilege Grant
    Where
    capability:tools
    Observed
    Full tool authority exposed without identity verification. Any client that reaches the transport can enumerate and (on systems that expose invocation) call every tool.
  3. MitigationAuth CheckAbsent
    Where
    capability:tools
    Detail
    No authentication mechanism present at the MCP server layer. Reverse-proxy-terminated auth may exist at a layer the scanner cannot observe; reviewer must confirm via the deployment diagram.
  4. ImpactPrivilege Escalation
    Scope
    server-host
    Exploitability
    Trivial
    Scenario
    Any network-reachable client can connect and invoke tools with the server's delegated authority. For localhost-bound servers, a malicious web page can still reach the server via DNS rebinding (Jackson/Bortz/Boneh 2007), making localhost no better than 0.0.0.0.
Confidence75%
  • +0.1
    auth-check absentNo auth-check found — No authentication mechanism present at the MCP server layer. Reverse-proxy-terminated auth may exist at a layer the scanner cannot observe; reviewer must confirm via the deployment diagram.
  • +0.2
    no_auth_confirmed_runtimeLive runtime observation: connection over streamable-http succeeded without credentials. This is not a heuristic — the scanner demonstrated the unauth posture directly.
Real-world precedent
MCP-Authorization-2025

MCP Authorization Specification (mid-2025 adoption)

The MCP Authorization spec requires OAuth 2.0 (RFC 9700) or equivalent for remote servers. A server that serves initialize + tools/list unauthenticated is out of spec conformance.

How to verify this finding3 steps
  1. 1
    test-input

    Connect to the MCP server transport (streamable-http) without providing any credentials (no Authorization header, no API key query parameter, no mTLS certificate). Issue the `initialize` request followed by `tools/list`. If both succeed, authentication is genuinely absent.

    Target: capability:tools

    Expect: Server responds 200/OK to `initialize` and returns the tool list without a 401/403 or any WWW-Authenticate challenge.

  2. 2
    check-config

    If the MCP server is fronted by a reverse proxy (nginx / envoy / Traefik / IAP), inspect the proxy configuration and confirm whether auth is terminated at that layer. If yes, document the proxy's auth strategy in an audit note; the finding can then be dismissed with provenance. If no, the server is the auth boundary and E1 stands.

    Target: nginx.conf/server/location

    Expect: Either the proxy enforces auth (dismiss with audit trail) or no proxy exists (E1 stands).

  3. 3
    check-config

    Verify the server's bind address. A 127.0.0.1 bind is not a substitute for authentication — DNS rebinding (Jackson/Bortz/Boneh 2007) makes localhost reachable from any web page the user visits. Unauthenticated localhost MCP servers have been demonstrated-exploited in the wild.

    Target: capability:tools

    Expect: Bind address is 0.0.0.0 / a routable IP (direct network exposure) OR 127.0.0.1 (still exposed via DNS rebinding from a malicious web page).

More — frameworks, edge cases, backing5 edge cases · 6 frameworks
Lethal edge cases (5)
  • Localhost-only binding is NOT a substitute for auth. Many MCP servers bind to 127.0.0.1 and assume that is sufficient. DNS rebinding makes localhost reachable from any tab in the user's browser. The rule fires on auth_required=false regardless of transport or bind address; the localhost assumption is called out in the impact narrative.
  • stdio transport. An MCP server running over stdio (the process launches the server and pipes to it) inherits the parent process's security boundary. For stdio-launched servers E1 is arguably not material — the parent process is the authentication. The connection metadata populated by the scanner only reaches E1 when a live network connection was made; for stdio-only servers E1 skips silently (connection_metadata=null).
  • "auth_required: false" but auth happens at a higher layer. Some deployments front the MCP server with a reverse proxy that terminates OAuth before the request reaches the server. The scanner cannot see the proxy; a false positive is possible. The verification step explicitly instructs the reviewer to confirm proxy-layer auth before dismissing.
  • connection_metadata is null. When no live connection was made, the rule cannot assert anything about the runtime auth posture. It MUST skip silently (AnalysisCoverage records the gap).
  • auth_required=true but auth is trivially bypassable. The scanner observes whether the server rejects unauthenticated connections, not whether the auth itself is strong. This rule does NOT cover weak-auth cases — that is outside E1's surface (H1 covers OAuth specifically; K6/K7/K8 cover token lifecycle).
Confidence cap
unbounded
Frameworks (6)
  • EU AI ActArt.15Accuracy, Robustness, and Cybersecurity
  • ISO 27001A.5.15Access Control
  • OWASP MCPMCP07Insecure Configuration
  • OWASP ASIASI03Identity & Privilege Abuse
  • CoSAI MCPCoSAI-T1Identity & Authentication Abuse
  • MITRE ATLASAML.T0055Unsecured Credentials
Backing
  • Precision:
  • Recall:
  • Red-team fixtures: 3
  • CVE replays: none
  • Last validated:
Test 106 more rules — give us more context2 input gaps
Dependency manifest7 rules

To unlock these tests: expose your package manifest.

  • D1Known CVEs in DependenciesSupply Chain SecurityKnown Vulnerable Dependencies
  • D2Abandoned DependenciesSupply Chain SecurityKnown Vulnerable Dependencies
  • D3Typosquatting Risk in DependenciesSupply Chain SecurityMalicious & Typosquat Packages
  • D4Excessive Dependency CountSupply Chain SecurityKnown Vulnerable Dependencies
  • D5Known Malicious or Flagged PackageSupply Chain SecurityMalicious & Typosquat Packages
  • D6Weak or Deprecated Cryptography DependenciesCode VulnerabilitiesInsecure Credential & Crypto
  • D7Dependency Confusion Attack RiskSupply Chain SecurityMalicious & Typosquat Packages
Source code99 rules

To unlock these tests: publish your source on GitHub.

  • C1Command InjectionCode VulnerabilitiesCommand & Shell Execution
  • C10Prototype PollutionCode VulnerabilitiesData Store Injection
  • C11ReDoS — Catastrophic Regex BacktrackingCode VulnerabilitiesServer-Hardening Failures
  • C12Unsafe DeserializationCode VulnerabilitiesDynamic Code Evaluation & Deserialization
  • C13Server-Side Template Injection (SSTI)Code VulnerabilitiesDynamic Code Evaluation & Deserialization
  • C14JWT Algorithm Confusion / None Algorithm AttackCode VulnerabilitiesInsecure Credential & Crypto
  • C15Timing Attack on Secret or Token ComparisonCode VulnerabilitiesInsecure Credential & Crypto
  • C16Dynamic Code Evaluation with User InputCode VulnerabilitiesCommand & Shell Execution
  • C2Path TraversalCode VulnerabilitiesFilesystem & Network Traversal
  • C3Server-Side Request Forgery (SSRF)Code VulnerabilitiesFilesystem & Network Traversal
  • C4SQL InjectionCode VulnerabilitiesData Store Injection
  • C5Hardcoded Secrets in Source CodeCode VulnerabilitiesInsecure Credential & Crypto
  • C6Error Message Information LeakageCode VulnerabilitiesServer-Hardening Failures
  • C7Wildcard CORS ConfigurationCode VulnerabilitiesServer-Hardening Failures
  • C8No Authentication on Network-Exposed ServerCode VulnerabilitiesServer-Hardening Failures
  • C9Excessive Filesystem ScopeCode VulnerabilitiesCommand & Shell Execution
  • G7DNS-Based Data Exfiltration ChannelData ExfiltrationExplicit Network Exfiltration
  • H1MCP OAuth 2.0 Insecure ImplementationAuthentication & IdentityOAuth Misimplementation
  • I12Capability Escalation Post-InitializationHuman OversightPost-Init Capability Escalation
  • I15Transport Session SecurityAuthentication & IdentitySession & Transport Security
  • J1Cross-Agent Configuration PoisoningSupply Chain SecurityConfig Injection & Bridge Supply Chain
  • J2Git Argument InjectionCode VulnerabilitiesCommand & Shell Execution
  • J4Health Endpoint Information DisclosureModel ManipulationInformation Disclosure Via Debug Surface
  • J5Tool Output Poisoning PatternsPrompt InjectionIndirect Gateway Injection
  • J7OpenAPI Specification Field InjectionCode VulnerabilitiesOpenAPI / Spec Field Injection
  • K1Absent Structured LoggingAudit & LoggingAbsent or Unstructured Logging
  • K10Package Registry SubstitutionTool PoisoningUpdate-Channel Spoofing
  • K11Missing Server Integrity VerificationSupply Chain SecurityKnown Vulnerable Dependencies
  • K12Executable Content in Tool ResponseTool PoisoningAnnotation Deception
  • K13Unsanitized Tool OutputTool PoisoningAnnotation Deception
  • K14Agent Credential Propagation via Shared StateAuthentication & IdentityCross-Boundary Credential Sharing
  • K16Unbounded Recursion / Missing Depth LimitsProtocol & TransportJSON-RPC Batching & Flooding
  • K17Missing Timeout or Circuit BreakerDenial of ServiceRecursion & Loop Bombs
  • K18Cross-Trust-Boundary Data Flow in Tool ResponseData ExfiltrationSource-to-Sink Flow
  • K19Missing Runtime Sandbox EnforcementDenial of ServiceTimeout & Circuit-Breaker Gaps
  • K2Audit Trail DestructionAudit & LoggingLog Destruction
  • K20Insufficient Audit Context in LoggingAudit & LoggingInsufficient Audit Context
  • K3Audit Log TamperingAudit & LoggingLog Destruction
  • K5Auto-Approve / Bypass Confirmation PatternHuman OversightAuto-Approve & Bypass
  • K6Overly Broad OAuth ScopesAuthentication & IdentityOAuth Misimplementation
  • K7Long-Lived Tokens Without RotationAuthentication & IdentityOAuth Misimplementation
  • K8Cross-Boundary Credential SharingData ExfiltrationTrust-Boundary Data Flow
  • K9Dangerous Post-Install HooksSupply Chain SecurityInstall-Time Execution
  • L1GitHub Actions Tag PoisoningSupply Chain SecurityCI/CD Poisoning
  • L10Registry Metadata SpoofingTool PoisoningUpdate-Channel Spoofing
  • L11Environment Variable Injection via MCP ConfigSupply Chain SecurityConfig Injection & Bridge Supply Chain
  • L12Build Artifact TamperingCode VulnerabilitiesOpenAPI / Spec Field Injection
  • L13Build Credential File TheftSupply Chain SecurityCI/CD Poisoning
  • L14Hidden Entry Point MismatchSupply Chain SecurityManifest & Entry-Point Confusion
  • L15Update Notification SpoofingTool PoisoningBehavior Drift
  • L2Malicious Build Plugin InjectionCode VulnerabilitiesOpenAPI / Spec Field Injection
  • L3Dockerfile Base Image Supply Chain RiskSupply Chain SecurityRegistry & Distribution Substitution
  • L4MCP Config File Code InjectionSupply Chain SecurityManifest & Entry-Point Confusion
  • L5Package Manifest Confusion IndicatorsSupply Chain SecurityManifest & Entry-Point Confusion
  • L6Config Directory Symlink AttackSupply Chain SecurityRegistry & Distribution Substitution
  • L7Transitive MCP Server DelegationSupply Chain SecurityManifest & Entry-Point Confusion
  • L8Version Rollback / Downgrade AttackSupply Chain SecurityRegistry & Distribution Substitution
  • L9CI/CD Secret Exfiltration PatternsSupply Chain SecurityCI/CD Poisoning
  • M2TokenBreak Boundary ManipulationModel ManipulationTokenizer Boundary Attacks
  • M6Progressive Context Poisoning EnablersHuman OversightTool-Position & Progressive Poisoning
  • M7Tool Response Structure BombDenial of ServiceResponse Payload Amplification
  • M8Inference Cost AmplificationDenial of ServiceInference Cost Amplification
  • M9Model-Specific System Prompt ExtractionModel ManipulationReasoning Extraction
  • N1JSON-RPC Batch Request AbuseProtocol & TransportJSON-RPC Batching & Flooding
  • N10Incomplete Handshake Denial of ServiceProtocol & TransportJSON-RPC Batching & Flooding
  • N11Protocol Version Downgrade AttackProtocol & TransportProtocol Version & Method Confusion
  • N12Resource Subscription Content MutationPrompt InjectionIndirect Gateway Injection
  • N13HTTP Chunked Transfer SmugglingProtocol & TransportStreaming & Session Hijacking
  • N14Trust-On-First-Use Bypass (TOFU)Authentication & IdentitySession & Transport Security
  • N15JSON-RPC Method Name ConfusionProtocol & TransportProtocol Version & Method Confusion
  • N2JSON-RPC Notification FloodingProtocol & TransportJSON-RPC Batching & Flooding
  • N3JSON-RPC Request ID CollisionProtocol & TransportJSON-RPC Batching & Flooding
  • N4JSON-RPC Error Object InjectionPrompt InjectionProtocol-Surface Injection
  • N5Capability Downgrade DeceptionProtocol & TransportProtocol Version & Method Confusion
  • N6SSE Reconnection HijackingProtocol & TransportStreaming & Session Hijacking
  • N7Progress Token Prediction and InjectionProtocol & TransportStreaming & Session Hijacking
  • N8Cancellation Race ConditionProtocol & TransportJSON-RPC Batching & Flooding
  • N9MCP Logging Protocol InjectionPrompt InjectionContext & Trust Manipulation
  • O10Privacy-Violating TelemetryData ExfiltrationCovert Channels
  • O4Clipboard and UI Exfiltration InjectionData ExfiltrationTrust-Boundary Data Flow
  • O5Environment Variable HarvestingData ExfiltrationCovert Channels
  • O6Server Fingerprinting via Error ResponsesData ExfiltrationCovert Channels
  • O8Timing-Based Covert ChannelData ExfiltrationCovert Channels
  • O9Ambient Credential ExploitationData ExfiltrationCovert Channels
  • P1Docker Socket Mount in ContainerContainer & RuntimeContainer Escape Vectors
  • P10Host Network Mode and Missing Egress ControlsContainer & RuntimeHost Mount & Network
  • P2Dangerous Container CapabilitiesContainer & RuntimeContainer Escape Vectors
  • P3Cloud Metadata Service AccessContainer & RuntimeCloud Metadata Access
  • P4TLS Certificate Validation BypassContainer & RuntimeTLS & Crypto Misconfig
  • P5Secrets Exposed in Container Build LayersSupply Chain SecurityRegistry & Distribution Substitution
  • P6LD_PRELOAD and Shared Library HijackingContainer & RuntimeContainer Escape Vectors
  • P7Sensitive Host Filesystem MountContainer & RuntimeHost Mount & Network
  • P8Insecure Cryptographic Mode or Static IV/NonceContainer & RuntimeTLS & Crypto Misconfig
  • P9Missing Container Resource LimitsDenial of ServiceContainer Resource Exhaustion
  • Q13MCP Bridge Package Supply Chain AttackSupply Chain SecurityConfig Injection & Bridge Supply Chain
  • Q15A2A/MCP Protocol Boundary ConfusionHuman OversightTrust-Delegation Confusion
  • Q3Localhost MCP Service HijackingProtocol & TransportLocalhost & Concurrency Hijack
  • Q4IDE MCP Configuration InjectionSupply Chain SecurityConfig Injection & Bridge Supply Chain
  • Q7Desktop Extension Privilege ChainContainer & RuntimePrivileged Roots & Extensions

Tested cleanly

  • Prompt Injection24 rules tested cleanly
  • Tool Poisoning17 rules tested cleanly
  • Data Exfiltration15 rules tested cleanly
  • Authentication & Identity9 rules tested cleanly
  • Supply Chain Security23 rules tested cleanly
  • Human Oversight6 rules tested cleanly
  • Audit & Logging5 rules tested cleanly
  • Multi-Agent Security1 rule tested cleanly
  • Protocol & Transport15 rules tested cleanly
  • Denial of Service7 rules tested cleanly
  • Container & Runtime10 rules tested cleanly
  • Model Manipulation8 rules tested cleanly
Huntress API MCP Server security findings — MCP Sentinel