Thirty CVEs in sixty days. That's the pace at which security researchers have been filing vulnerabilities against the Model Context Protocol ecosystem since January, and the numbers underneath that figure are worse than the headline suggests.
A comprehensive scan of 2,614 MCP implementations found that 82% of those handling file operations were vulnerable to path traversal attacks. Sixty-seven percent carried code injection risk. Between 38 and 41% of the 518 officially registered MCP servers offered no meaningful authentication at all. The worst single finding, CVE-2025-6514, was a CVSS 9.6 remote code execution flaw in the mcp-remote package — already downloaded more than 437,000 times before anyone disclosed it publicly. That last number matters. It marks the first confirmed MCP vulnerability with documented mass-scale real-world reach.
The protocol is less than two years old. Anthropic published it as an open standard for connecting AI agents to external tools and data sources, and adoption has been fast enough that "explosive" barely covers it. The security posture has not kept pace.
"The attack surface expanded before the defensive tooling existed," said Yaron Shamir, a security researcher at Adversa AI whose SecureClaw report flagged a 36.7% SSRF exposure rate across surveyed MCP implementations. "We were scanning servers with no authentication, no input validation, nothing. These weren't edge cases — they were the norm."
The vulnerability timeline has a particular shape. It starts in April 2025, when researchers showed that the WhatsApp MCP Server could be exploited through tool poisoning: inject malicious instructions into tool descriptions, and AI agents will exfiltrate entire chat histories without any authentication bypass required. That's not a subtle attack vector. It worked because the protocol's design assumes agents can trust tool metadata at face value.
A month later, the GitHub MCP Server. Prompt injection attacks embedded in public Issues and Pull Requests caused agents to leak private repository code into public PRs — the kind of exposure that ends careers and triggers incident reports. By July, "MCPoison" had been documented as a full attack class against Cursor IDE users, exploiting a trust-caching mechanism that stored server approvals without re-validating them on subsequent connections. Even Anthropic's own reference implementations weren't spared: its Filesystem MCP Server fell to path traversal, and its MCP Inspector debugging tool contained a separate RCE vulnerability.
Researchers have since catalogued five core attack pattern families across the ecosystem: tool poisoning, prompt injection via external data, trust bypass, supply chain attacks, and cross-tenant exposure. All five map directly onto the newly published OWASP Agentic Security Top 10 — which is either reassuring, because the risks are now formally understood, or alarming, because they're confirmed as systemic. Exec and shell injection — typically the result of MCP servers acting as thin wrappers around CLI tools that call exec() with unsanitised input — accounted for 43% of all filed CVEs on their own.
The defensive response is real but nascent. Invariant Labs' mcp-scan and the Smithery registry audit are the most visible tools operators have right now. Neither is close to matching the scale of the exposure.
For anyone running MCP servers in production, the practical checklist from this wave of disclosures isn't complicated: validate and sanitise all tool inputs before they reach shell commands, enforce authentication on every exposed endpoint, implement sandbox isolation with strict path allowlisting, and treat tool descriptions themselves as untrusted content. The harder problem sits one layer deeper. The protocol's foundational assumption — that agents can implicitly trust the metadata provided by registered tools — is an architectural liability that no amount of patching will fully address. Cryptographic verification and continuous re-validation aren't features to schedule for a future release. At the current CVE rate, they're a prerequisite for deployment.