Model Context Problems

At its core, the article argues that MCP is too token-hungry to be practical at production scale, with tool definitions consuming the majority of context before any user request is even processed. Several major companies are independently abandoning it in favor of lighter-weight alternatives like traditional APIs and CLIs.

Noma Labs discovered the ContextCrush vulnerability in Context7, a registry that delivers coding documentation to AI assistants via an MCP server. Attackers manipulated the platform's Custom Rules feature to plant malicious instructions. When an AI coding assistant (like Cursor or Windsurf) queried the documentation, it ingested the poisoned rules via the trusted MCP channel and autonomously executed harmful actions, such as stealing .env files.

BlueRock researchers discovered a severe Server-Side Request Forgery (SSRF) flaw in the MCP server built for Microsoft's MarkItDown file converter. The server failed to validate URIs, allowing attackers to force the AI agent to query local cloud metadata endpoints (e.g., AWS 169.254.169.254). Subsequent scans revealed over 36% of public MCP servers contained similar SSRF vulnerabilities.

Cyata researchers disclosed a chain of critical vulnerabilities in Anthropic's official Git MCP server. The flaws included an unrestricted git_init function, a path-validation bypass, and an argument-injection vulnerability. Attackers could chain these to turn arbitrary directories into Git repositories, overwrite system files, and achieve RCE via malicious .git/config manipulation.

Cymulate disclosed two high-severity defects in Anthropic's official Filesystem MCP Server. Attackers exploiting these flaws could list, read, or write to directories outside the allowed scope. If the server was run as a privileged user, this could lead to full sandbox escape, manipulation of critical system files, and privilege escalation.

Oligo Security and Tenable discovered a critical flaw (CVSS 9.4) in the Anthropic MCP Inspector tool. Because the interactive web UI launched via localhost lacked out-of-the-box authentication, an attacker on the same local network could inject malicious commands (NeighborJacking) or use cross-site attacks to achieve RCE.

The JFrog Security Research team discovered a critical vulnerability (CVSS 9.6) in mcp-remote, a popular proxy tool (over 437,000 downloads) used to connect local LLM hosts to remote MCP servers. If a user connected to a malicious remote MCP server, the server could send a booby-trapped authorization_endpoint URL that achieved full arbitrary OS command execution on the user's local machine.

Work management platform Asana had to temporarily disable its experimental MCP feature after discovering a logic flaw in its implementation. The misconfiguration failed to isolate cross-tenant data, meaning AI agents could potentially access customer data, projects, and tasks belonging to entirely different organizations.

A severe vulnerability (CVSS 8.8) dubbed AgentSmith was disclosed in LangSmith's Prompt Hub. The flaw exposed AI agents using MCP to data theft and manipulation, allowing malicious agents to hijack LLM responses and steal user API keys.

Security researchers at Invariant Labs discovered a critical vulnerability affecting the official GitHub MCP integration. Attackers could create maliciously crafted issues in public repositories. When a developer asked their AI assistant to check open issues, the AI would read the malicious payload, get prompt-injected, and autonomously use the developer's credentials to exfiltrate private repository data (such as source code and salary information) into public pull requests.