mcp-tool-poisoninglisted

# MCP Tool Poisoning ## Attack Surface The Model Context Protocol (MCP) exposes a `tools/list` endpoint that returns tool names, descriptions, and parameter schemas to the connected LLM. This content is treated as trusted context by the model — it influences how the model reasons about and uses those tools. **Key vulnerability:** MCP does not require authentication for `tools/list`. A compromised, malicious, or misconfigured MCP server can inject arbitrary instructions into the LLM's tool context without the user's knowledge. Empirical data: A study of 1,899 open-source MCP servers found 5.5% exhibited tool poisoning vulnerabilities. CVE-2025-32711 (EchoLeak, CVSS 9.3) demonstrated production exploitation. ## References ``` references/ known-cvss.md CVE-2025-32711, CVE-2025-6514, and related MCP CVEs ``` ## Attack Variants | Attack | Mechanism | Impact | |---|---|---| | Description injection | Hidden instructions in tool description field | LLM executes attacker instructions as part of normal tool use | | Shadow tool injection | Malicious tool with name similar to legitimate tool | LLM selects attacker's tool instead of intended one | | Parameter poisoning | Injected instructions in parameter `description` fields | Per-parameter control of LLM behavior | | Cross-server propagation | Poisoned tool output consumed by other MCP servers | Lateral movement through multi-agent pipeline | ## Methodology ### Phase 1 — Enumerate MCP tools ```bash # Direct unauthentic