Model Context Protocol (MCP) has emerged as a standard interface for connecting LLM agents to external tools. Because MCP servers expose privileged operations such as shell execution, network access, and file-system manipulation to agent-driven invocation, implementation flaws in tool handlers can create a direct path from natural-language input to security-sensitive sinks, potentially granting attackers remote code execution or full system compromise. Existing approaches either produce unconfirmed static alerts without dynamic validation, or rely on fixed template libraries that lack code-level guidance and fail to trigger vulnerabilities requiring specific parameter shapes or multi-step taint paths. In this paper, we present VIPER-MCP, the first end-to-end automated vulnerability auditing framework for MCP servers that not only detects taint-style vulnerabilities but also dynamically confirms their exploitability by producing concrete proof-of-concept prompts. VIPER-MCP introduces two novel techniques: (1) an anchor-query pass in a two-pass static analysis strategy that augments standard taint alerts with function-level structural context, resolving file-level static artifacts to specific MCP tool handlers and producing vulnerability-anchored call chains; and (2) a feedback-driven prompt evolution mechanism that employs dual-mutator scheduling that independently corrects tool-selection drift and deepens parameter penetration, together with fitness-scored seed selection to iteratively refine natural-language prompts toward vulnerable sinks. In a large-scale scan of 39,884 real-world open-source MCP server repositories, VIPER-MCP discovered 106 0-day vulnerabilities, all of which were confirmed through end-to-end exploit traces, with 67 CVE IDs assigned to date. We responsibly disclosed all confirmed findings to the affected developers and coordinated CVE assignment where applicable.

翻译：模型上下文协议（MCP）已成为连接大语言模型智能体与外部工具的标准接口。由于MCP服务器将诸如shell执行、网络访问和文件系统操作等特权操作暴露给智能体驱动的调用，工具处理程序中的实现缺陷可能形成从自然语言输入到安全敏感汇点的直接路径，从而可能导致攻击者获得远程代码执行或完全系统控制权。现有方法要么产生未经动态验证的未确认静态告警，要么依赖缺乏代码级指导的固定模板库，无法触发需要特定参数形状或多步污点路径的漏洞。本文提出VIPER-MCP——首个面向MCP服务器的端到端自动化漏洞审计框架，该框架不仅能检测污点型漏洞，还能通过生成具体的概念验证提示词来动态确认其可利用性。VIPER-MCP引入了两项创新技术：（1）两阶段静态分析策略中的锚点-查询分析阶段，通过函数级结构上下文增强标准污点告警，将文件级静态伪影映射到特定MCP工具处理程序，生成以漏洞为中心的调用链；（2）反馈驱动的提示词进化机制，采用双变异器调度：独立修正工具选择漂移并深化参数渗透，结合适应度评分的种子选择策略，迭代优化自然语言提示词使其趋近脆弱汇点。在对39874个真实开源MCP服务器仓库的大规模扫描中，VIPER-MCP发现了106个零日漏洞，所有漏洞均通过端到端利用轨迹得到确认，迄今已分配67个CVE编号。我们已将所有经确认的发现负责任地披露给受影响的开发者，并在适用情况下协调了CVE分配。