But MCP servers are more analogous to a PyPI packages you pip install, npm modules you add to your project or a VSCode extension.
Nobody would argue that pip is fundamentally broken because running pip install malicious-package can compromise your system. That's expected behavior when you execute untrusted code.
1. Not all MCP tools connect to the web or fetch emails. So the shortcut all MCP's are doomed is also the wrong way to adress this.
2. Issue is with MCP with untrusted external sources like web/email that need sanitization like we do with web forms.
3. A lot of warning point bad MCP's! But that apply to any code you might download/ use from the internet. Any package can be flawed. Are you audit them all?
So yeah, on my side I feel this security frenzy over MCP is over hyped. VS the real risk and there is a lot of shortcuts, masking a key issue that is supply chain as an MCP owned issue here and I see that in so many doom comment here.
Every developer I have ever met that wasn't in the security space underestimates security problems. Every one.
YMMV
companies taking this seriously and awarding bounties is indicative it's fairly severe
The RCE/Malware issue aside, if the website you go to is a login page for some service, do you know it's the legitimate website? MCP Phishing is going to be a thing
So there is a chain of issues and you need to leverage them to get there and first pick an MCP that is flawed from a bad actor.
The stream of vulnerability discoveries has been constant.
But even if LLMs will have a fundamental hard separation between "untrusted 3rd party user input" (data) and "instructions by the 1st party user that you should act upon" (commands) because LLMs are expected to analyze the data using the same inference models as interpreting commands, there is no separate handling of "data" input vs "command" input to the best of my understanding, therefore this is a fundamentally an unsolvable problem. We can put guardrails, give MCPs least privilege permissions, but even with that confused deputy attacks can and will happen. Just like a human can be fooled by a fake text from the CEO asking them to help them reset their password as they are locked out before an important presentation to a customer, and there is no single process that can 100% prevent all such phishing attempts, I don't believe there will be a 100% solution to prevent prompt injection attacks (only mitigated to become statistically improbable or computationally hard, which might be good enough)
Is this a well known take and I'm just exposing my ignorance?
EDIT: my apologies if this is a bit off topic, yes, it's not directly related to the XSS attack in the OP post, but I'm past the window of deleting it.
edit: after parent clarification
edit: thanks for the feedback!
Then we just need to train LLMs to 1. not treat user provided / tool provided input as instructions (although sometimes this is the magic, e.g. after doing tool call X, do tool call Y, but this is something the MCP authors will need to change, by not just being an API wrapper...)
2. distinguish between a real close tag and an escaped one, although unless it's "hard wired" somewhere in the inference layer, it's only a matter of statistically improbable for an LLM to "fall for it" (I assume some will attempt, e.g. convince the LLM there is instruction from OpenAI corporate to change how these tags are escaped, or that there is a new tag, I'm sure there are ways to bypass it, but it's probably going to make it less of an issue).
I assume this is what currently being done?
For recent examples check out my Month of AI bugs with of a focus on coding agents at https://embracethered.com/blog/posts/2025/wrapping-up-month-...
Lots of interesting new prompt injection exploits, from data exfil via DNS to remote code execution by having agents rewrite their own configuration settings.
Perhaps minimal, but this does in fact prevent the specific attack vector they demonstrated. The criticism seems unnecessarily harsh given that Google addressed the vulnerability immediately.
MCP is not that elegant anyway, looks more like a hack and ignores decades of web dev/security best practices.
Also MCP is only transport and there is a lot of mixup to blame the MCP, as most of the prompt injection and similar come from the "TOOLS" behind the MCP. Not MCP as it self here.
Seem this security hype forget one key point: Supply chain & trusted sources.
What is the risk running an MCP server from Microsoft? Or Anthropic? Google?
All the reports explain attacks using flawed MCP servers, so from sources that either are malicious or compromised.
Really doesn't help when discovery of "quality" MCP tools, whatever that means, is so difficult.
MCP is a novel technology that will probably transform our world, provides numerous advantages, comes with some risks, and requires skill to operate effectively.
Sure, none of the underlying technologies (JSON-RPC, etc.) are particularly novel. But the capability negotiation handshake built into the protocol is pretty darn powerful. It's a novel use of existing stuff.
I spent years in & around the domain of middleware and integrations. There's something really special about the promise of universal interoperability MCP offers.
Just like early-aviation, there are going to be tons of risks. But the upside is pretty compelling and worth the risks. You could sit around waiting for the kinks to get worked out or dive in and help figure out those kinks.
In fact, it seems I'm the first person to seriously draw attention to the protocol's lack of timeout coordination, which is a serious problem[0]. I'm just a random person in the ecosystem who got fed up with timeout issues and realized it's up to all of us to fix the problems as we see them. So there's still plenty of opportunity out there to jump in and contribute.
Kudos to this team for responsibly contributing what they found. These risks are inherent in any new technology.
[0]: https://github.com/modelcontextprotocol/modelcontextprotocol...
What is novel is the "yolo vibe code protocol with complete disregard to any engineering practices, and not even reading at least something about that was there before". That is, it's world's first widely used vibe-coded protocol.
That's why you have one-way protocols awkwardly wrapped to support two-way communication (are they on their third already?). That's why auth is an afterthought. That's why there's no timeout coordination.
But the idea itself is compelling: documentation + invocation in a bi-directional protocol. And enough real players have thrown their weight behind making this thing work that it probably some day will.
I don't understand fully the "it's immature so it's worthy or ridicule" rationale so much. Don't most good things start out really rough around the edges? Why does MCP get so much disdain?
I'm still not sure why everyone's acting like it's some well thought out system and not just tool descriptions shoveled into JSON and then shoved at an LLM. It's not a fundamental architectural change to enhance tool calls, it just got given a fancy name.
I do get that having a common structure for tool calling is very convenient but it's not revolutionary. What's revolutionary is everyone training their models for a tool calling spec and I'm just not sure that we've seen that yet.
And you need tools to connect to external "systems", the context "pollution" can be managed easily. Also even if you don't use MCP you need to use tools and they need to expose their schema to the AI model.
I feel the MCP hype over bad security got a lot confused and very defensive over MCP or more globally tools use.
And why wouldn't we move toward that direction instead of inventing a new protocol?
> Glad it’s fixed!
It's astonishing how allergic some people are to writing their own code, even the simplest shit has to be a dependency. Let's increase the attack surface, that's fine, what can go wrong, right?
https://github.com/modelcontextprotocol/use-mcp/commit/96063...
So you need a server flawed + XSS issue on Cloudflare.
Then you need to use Claude Code, so it's more an issue in Claude Code/Gemini implementation already than MCP.
So if you are ok to run any MCP from any source you have worse issues.
But good find in the open command how it's used in Claude Code/Gemini.