MCP security
Risk inventory for model-context tooling, resource access, manifests, and tool execution boundaries.
| Risk | CWE | Why it matters | Safer design |
|---|---|---|---|
| Prompt injection sinks | CWE-77 | Malicious input manipulates tool behaviour | Treat tool outputs as untrusted and sanitize inputs |
| Command injection | CWE-78 | Tool executes attacker-controlled shell commands | Use parameterized calls and avoid shell interpolation |
| SSRF in fetch tools | CWE-918 | Tool accesses internal services | Allowlist domains and block private IP ranges |
| Secret leakage via env vars | CWE-526 | Secrets exposed through tool access | Use secret managers and narrow access |
| Capability escalation | CWE-269 | Tool gains more permissions than declared | Enforce least privilege and validate scope |
| Missing rate limits | CWE-400 | Runaway tool calls exhaust resources | Rate-limit calls and enforce timeouts |
| TOCTOU file races | CWE-367 | File state changes between check and use | Use atomic operations and locks |
| Missing auth on resources/list | CWE-862 | Resource listings expose data | Require authorization on listing endpoints |
| Zombie subprocesses | CWE-404 | Subprocesses exhaust resources | Reap children and use process groups |
| Unverified manifest signing | CWE-347 | Unverified manifests enable supply chain attacks | Verify signatures and pin versions |