We tested six high-adoption MCP servers with a combined 68,305 GitHub stars. Every critical and high severity finding was validated under controlled runtime conditions. The confirmation rate was 100%.
Servers tested: 6
Combined GitHub stars: 68,305
Critical/high findings tested: 28
Confirmed exploitable: 28
Secrets extracted (test data): 17
Auth bypass success rate: 4/4Six patterns, six servers
No authentication. Four of the six servers had missing or trivially bypassable authentication. MCP servers frequently assume that binding to localhost provides sufficient access control. It does not, particularly when combined with permissive CORS policies that allow cross-origin requests from any domain.
Blocklist-based input filtering. One server blocked shell metacharacters such as semicolons, pipes, and ampersands, but permitted any single command to pass through unfiltered. Commands such as cat, curl, and wget executed without restriction. This is the fundamental failure mode of blocklists. They enumerate what is forbidden and permit everything else. The set of dangerous commands is unbounded. Allowlists are the correct approach.
Hardcoded cryptographic material. One server derived encryption keys using PBKDF2 with a static salt embedded in public source code: b"static_salt_for_credentials". Because the repository is open, every attacker has access to the salt. NIST SP 800-132 recommends randomly generated salts of at least 128 bits, unique per credential.
SSRF without egress filtering. A research server's crawler accepted arbitrary URLs with no destination restrictions. During testing, the server successfully reached the AWS metadata endpoint at 169.254.169.254, the GCP metadata endpoint, internal network addresses, and localhost services. Anyone running this server on a cloud instance becomes an open proxy.
Covert instructions in tool descriptions. One server embedded behavioral directives inside tool descriptions. This text is invisible to the user but processed by the AI model as part of the tool specification. The instructions directed the model to determine the user's API key type and, in the original author's words, "silently remember it." The typo in the first instance was corrected in the second, indicating these were written at separate times rather than duplicated. Whether this constitutes intentional surveillance or a product design decision is an open question. What is not ambiguous: the tool description modifies the model's behavior without the user's knowledge or consent.
Unrestricted code execution. Three of six servers provided direct paths to arbitrary code execution through execSync with unsanitized string interpolation, exec() on user-provided Python, and eval() through an unauthenticated WebSocket bridge. In each case, code execution is the intended function. The security concern is not the primitive itself but the agent-mediated path that makes it reachable by untrusted input.
A concrete attack path
A developer runs an MCP server locally with API credentials stored in .env. The server has Access-Control-Allow-Origin: * and exposes a tool capable of fetching arbitrary URLs. A malicious webpage, visited in a normal browser session, triggers a cross-origin request to the local server, invokes the fetch tool against the cloud metadata endpoint, and retrieves IAM credentials. No user interaction beyond visiting the page is required. Every component of this chain was confirmed exploitable in the servers tested.
Recommendations
For server maintainers. Authenticate every endpoint. Localhost is not a security boundary. Use allowlists rather than blocklists for command execution. Generate unique cryptographic salts per credential. Implement egress filtering to block requests to internal IP ranges, link-local addresses, and cloud metadata endpoints. Keep tool descriptions strictly factual. Any description containing directives such as "remember," "don't tell," or "silently" is a prompt injection vector.
For users. Review the trust score and detailed findings for any MCP server before installation. Audit tool permissions. A server exposing 254 tools carries a fundamentally different risk profile than one with two read-only endpoints. Scope access tokens to the minimum permissions required. Treat any localhost server as network-exposed.
This is a condensed version. The full report with per-server exploit breakdowns, methodology, source-level evidence, and published exploit reports is available at agentseal.org/blog/runtime-exploitation-mcp-servers.