The Model Context Protocol (MCP) is an emerging open standard that enables AI-powered applications to interact with external tools through structured metadata. A rapidly growing ecosystem has formed around MCP, including a wide range of MCP hosts (i.e., Cursor, Windsurf, Claude Desktop, and Cline), MCP registries (i.e., mcp.so, MCP Market, MCP Store, Pulse MCP, Smithery, and npm), and thousands of community-contributed MCP servers. Although the MCP ecosystem is gaining traction, there has been little systematic study of its architecture and associated security risks. In this paper, we present the first comprehensive security analysis of the MCP ecosystem. We decompose MCP ecosystem into three core components: hosts, registries, and servers, and study the interactions and trust relationships among them. Users search for servers on registries and configure them in the host, which translates LLM-generated output into external tool invocations provided by the servers and executes them. Our qualitative analysis reveals that hosts lack output verification mechanisms for LLM-generated outputs, enabling malicious servers to manipulate model behavior and induce a variety of security threats, including but not limited to sensitive data exfiltration. We uncover a wide range of vulnerabilities that enable attackers to hijack servers, due to the lack of a vetted server submission process in registries. To support our analysis, we collect and analyze a dataset of 67,057 servers from six public registries. Our quantitative analysis demonstrates that a substantial number of servers can be hijacked by attackers. Finally, we propose practical defense strategies for MCP hosts, registries, and users. We responsibly disclosed our findings to affected hosts and registries.

翻译：模型上下文协议（MCP）是一种新兴的开放标准，它使人工智能驱动的应用程序能够通过结构化元数据与外部工具进行交互。围绕MCP已迅速形成一个不断增长的生态系统，包括多种MCP宿主（例如Cursor、Windsurf、Claude Desktop和Cline）、MCP注册中心（例如mcp.so、MCP Market、MCP Store、Pulse MCP、Smithery和npm）以及数千个社区贡献的MCP服务器。尽管MCP生态系统日益受到关注，但对其架构及相关安全风险的系统性研究却很少。本文首次对MCP生态系统进行了全面的安全分析。我们将MCP生态系统分解为三个核心组件：宿主、注册中心和服务器，并研究它们之间的交互与信任关系。用户在注册中心搜索服务器并在宿主中配置它们，宿主将大语言模型生成的输出转换为服务器提供的外部工具调用并执行。我们的定性分析表明，宿主缺乏对大语言模型生成输出的验证机制，使得恶意服务器能够操纵模型行为并引发多种安全威胁，包括但不限于敏感数据泄露。我们发现，由于注册中心缺乏经过审查的服务器提交流程，攻击者可以利用多种漏洞劫持服务器。为支持分析，我们从六个公共注册中心收集并分析了包含67,057个服务器的数据集。定量分析表明，大量服务器可能被攻击者劫持。最后，我们为MCP宿主、注册中心和用户提出了实用的防御策略。我们已将发现负责任地披露给受影响的宿主和注册中心。