The Model Context Protocol (MCP) is an open protocol designed to standardize how large language models (LLMs) connect to external tools, APIs, and data sources. Rather than relying on ad hoc, model-specific integrations, MCP defines a structured client–server architecture that allows AI applications to request context and invoke tools in a more consistent and interoperable way.
This abstraction layer is becoming more important as enterprises move beyond isolated chat interfaces toward AI systems that must integrate with ticketing platforms, code repositories, CI/CD pipelines, knowledge bases, cloud services, and more. MCP offers a shared interface for using tools and sharing data, which makes it easier to connect systems, allowing improvements in portability, and helps build scalable AI-driven automation.
MCP is particularly significant in the era of agentic AI, where models do more than generate text—they plan, “reason,” and take actions across external systems. In such architectures, an AI agent may autonomously retrieve data, execute commands, and trigger workflows. This expanded capability dramatically increases the security stakes, as MCP's design allows it to act on the user's behalf.
A core principle is the agent should only do what the user is permitted to do. If the server isn’t carefully designed, you risk a confused deputy scenario, where the server (deputy) with broad privileges performs an action that a particular user shouldn’t have access to.
A wealth of resources exists in MCP’s Security Best Practices guide, detailing the proper implementation of both the server and client components of MCP, analyzing potential security vulnerabilities and providing corrective security guidance for the development and configuration of MCP-based products. With this information and our expertise, we are presenting ways you can use open technologies and Red Hat products to develop, configure and deploy secure MCP servers.
In this article, the first in a planned series, we put MCP security into perspective by discussing recent MCP security issues that expose systems to remote code execution, data exfiltration, and even privilege escalation.
The GitHub MCP server security flaw
The GitHub MCP vulnerability found in May 2025 demonstrates a prompt-injection-driven attack against agentic AI systems using the GitHub Model Context Protocol (MCP) integration. To execute this attack, a crafted malicious issue is posted on a public repository. When a user’s AI assistant, the MCP client, is told to “check open issues,” it fetches the issues via the MCP server, interprets the injected text as a command, and then unwittingly accesses and exfiltrates data from the user’s associated private repository, autonomously creating a public pull request containing sensitive information.
This exploit uses a fundamental flaw in the security model—that agents trust external content (the GitHub issue text), and follow instructions from untrusted sources without sufficient context isolation or fine-grained permission checks—rather than a classic software bug in the MCP server code itself.
Mitigations include enforcing least-privilege access by restricting agent access only to specific repositories, implementing runtime security guardrails to enforce dataflow policies, and continuous monitoring/scanning of MCP interactions. An example could be proxying and auditing calls to detect and block toxic agent flows before they can trigger unintended tool use.
The Anthropic Filesystem MCP server flaw
The EscapeRoute vulnerabilities in the Filesystem MCP server stem from fundamental sandbox-break flaws that allow attackers to bypass intended file access restrictions and execute arbitrary code on the host. CVE-2025-53110 abuses a naive prefix string check in the server’s path validation so that any directory whose name starts with an “allowed” path, for example, /private/tmp/allow_dir_sensitive_credentials, is treated as permitted. This action enables unauthorized listing, reading, or writing of files outside the intended scope. CVE-2025-53109 chains this with a symlink bypass that defeats symbolic link checks by falling back to parent-directory validation, ultimately giving attackers full read/write access to the filesystem and potential code execution via mechanisms such as launch agents or cron jobs.
This undermines the core security model of the MCP Filesystem server—its sandbox containment—because trusted prefix matching and faulty symlink handling allow untrusted operations to escape confinement without exploiting memory corruption.
Mitigations include immediately upgrading to patched versions to fix these CVEs, enforcing the principle of least privilege on MCP services, enforcing robust path validation and sandboxing logic, and including continuous security validation and monitoring of MCP servers to catch containment bypass attempts before they lead to compromise.
Hundreds of vulnerable MCP servers in the wild
In June 2025, researchers analyzing publicly exposed MCP servers identified widespread security weaknesses across thousands of deployments, revealing systemic misconfiguration and unsafe defaults rather than flaws in the core protocol itself. Their investigation found many MCP servers bound to 0.0.0.0, meaning they were accessible to any device on the same local network without authentication. This is a condition sometimes referred to as “NeighborJack” that allows attackers to directly connect to and interact with MCP tools.
In numerous cases, these servers also exposed tools capable of executing operating-system commands without proper input validation or privilege restriction, enabling attackers on the same network to trigger arbitrary command execution, access sensitive files, scrape memory, or exfiltrate data from the host machine. The underlying issue was a combination of insecure network exposure, lack of authentication, excessive tool permissions, and unsafe command handling.
Mitigations include binding MCP servers only to loopback interfaces where appropriate, enforcing strong authentication and authorization, applying strict input validation and command sanitization, limiting tool capabilities through least-privilege design, and placing MCP services behind proper network segmentation with firewall controls to prevent unauthorized access.
Final thoughts
These recent MCP security flaws are just a small percentage of issues that were publicly disclosed. Consider a large number of private MCP servers running in obscure deployment environments that may be vulnerable.
Stay tuned! We'll be back in future articles to talk about mitigating these security issues and about how to better protect your MCP deployments using Red Hat products and services.
关于作者
Huzaifa Sidhpurwala is a Senior Principal Product Security Engineer - AI security, safety and trustworthiness, working for Red Hat Product Security Team.
