Hundreds of Model Context Protocol (MCP) servers around the world are open to abuse, with vulnerabilities that put vibe coders and their organization's sensitive assets at risk.
Introduced late last year, MCP servers are an easy-to-use extension of LLMs, thanks to the simplicity of their protocols, and have come into widespread use due to the broad availability of independently developed MCPs.
However, according to analysis from Backslash Security, around half of the 15,000-plus MCP servers in existence are dangerously misconfigured or carelessly built. The resulting vulnerabilities are in some cases catastrophic, the company warned.
They fall under two general headings. First is the MCP ‘NeighborJack’ vulnerability, whereby hundreds of MCP servers are explicitly bound to all network interfaces (0.0.0.0), making them accessible to anyone on the same local network.
This was the most common vulnerability found, with hundreds of cases discovered.
"Imagine you’re coding in a shared co-working space or café. Your MCP server is silently running on your machine," the researchers said.
"The person sitting near you, sipping their latte, can now access your MCP server, impersonate tools, and potentially run operations on your behalf."
Meanwhile, dozens of MCP servers allowed arbitrary command execution on the host machine thanks to careless use of a subprocess, a lack of input sanitization, or security bugs such as path traversal.
Most concerning of all, on several MCP servers both vulnerabilities were present, allowing bad actors to take full control of the host machine running the server.
Malicious actors that come across these MCP servers would have full access to run any command, scrape memory, or impersonate tools used by AI agents, Backslash said.
Meanwhile, beyond code execution, MCPs can serve as stealthy pathways for prompt injection and context poisoning, Backslash warned. Malicious or manipulated public content can change what an LLM sees - returning misleading data, or rerouting agent logic.
“Our research highlights several prevalent MCP server weaknesses that can open enterprise environments to threat vectors including remote code execution, data exposure, and network traversal,” said Yossi Pik, co-founder and CTO of Backslash Security.
More trouble on the way for MCP servers
In a yet-to-be-released finding, Backslash said it also identified an exploit path involving a seemingly benign public document that can trigger a cascading compromise, because the MCP silently connected it into the LLM agent’s logic without proper boundaries.
The issue here wasn’t a vulnerability in the MCP code itself, but rather in the configuration of the data source it accessed. Backslash said the issue affects a 'very popular' tool with tens of thousands of users and that it's currently working with the vendor to coordinate responsible disclosure.
The company has now launched a free self-assessment tool for vibe coding environments to help security teams gain visibility into the vibe coding tools being used in their organizations, continuously gauging the risk posed by large language models (LLMs), MCP servers, and IDE AI rules in use.
"It's critical to give developers and vibe coders the tools and guidance to safely navigate this emerging attack service, which is why we’ve created the MCP Server Security Hub," said Pik.
"Developers will continue to tap MCP servers' flexibility and utility, so we wanted to give the community a safer means of doing so."
MORE FROM ITPRO
- The NCSC wants developers to get serious on software security
- Shifting left might improve software security, but developers are becoming overwhelmed
- Software security debt is spiraling out of control
-
Microsoft could be preparing for a crackdown on remote workNews The tech giant is the latest to implement stricter policies around hybrid working without requiring a full five days in the office
-
JetBrains CEO on how developers must transform with AIInterview There may still be a place for strong developer progression in the age of AI, if workers can adapt to rapid changes
-
84% of software developers are now using AI, but nearly half 'don't trust' the technology over accuracy concernsNews AI coding tools are delivering benefits for developers, but they’re still worried about security and compliance
-
Think AI coding tools are speeding up work? Think again – they’re actually slowing developers down
News AI coding tools may be hindering the work of experienced software developers, according to new research
-
OpenAI's plan to acquire AI coding startup Windsurf ended in disaster – here’s how the deal fell apartNews The acquisition by Cognition comes after a rumored $3bn offer from OpenAI fell through
-
Atlassian says AI has created an 'unexpected paradox' for software developers – they're saving over 10 hours a week, but they’re still overworked and losing an equal amount of time due to ‘organizational inefficiencies’News While AI is helping save developers over 10 hours a week, these productivity boosts are being offset by growing workloads and poor operational efficiency, Atlassian says.
-
AI coding tools are booming – and developers in this one country are by far the most frequent usersNews AI coding tools are soaring in popularity worldwide, but developers in one particular country are among the most frequent users.
-
AI-generated code is in vogue: Developers are now packing codebases with automated code – but they’re overlooking security and leaving enterprises open to huge risksNews While AI-generated code is helping to streamline operations for developer teams, many are overlooking crucial security considerations.
-
Mistral targets security-conscious developers with new AI coding assistantThe coding assistant, available now in private preview, will be fully customizable
-
Big tech promised developers productivity gains with AI tools – now they’re being rendered obsoleteOpinion Big tech promised software developers huge benefits with AI tools, but now they face job cuts as companies ramp up automation.
