Endor Labs — MCP needs AppSec as classic vulns hit agent tooling

2026-02-10 • Category: Security

AI relevance: MCP servers are the tool layer for AI agents; classic AppSec bugs in those servers let prompt-injected content trigger dangerous tool calls, turning routine agent workflows into RCE paths.

• Endor Labs frames MCP as the “USB-C for AI apps,” noting rapid adoption (over 1,000 MCP servers created in a single week) alongside a steady stream of 2025–2026 vulnerability disclosures.
• The core issue is not novel exploits but classic flaws—command injection, SSRF, path traversal, missing auth, and poor input validation—now embedded in agent-facing tooling.
• In a review of 2,614 MCP implementations, Endor Labs found 82% using filesystem operations prone to path traversal, 67% using APIs tied to code injection, and 34% using APIs tied to command injection.
• Recent CVEs in Anthropic’s mcp-server-git reference implementation show how missing repo-path validation and unsanitized CLI args create exploitable tool calls.
• The Framelink Figma MCP server (CVE-2025-53967) highlights indirect prompt-injection risk: malicious file keys can reach a curl command path and execute shell metacharacters.
• Endor Labs emphasizes that MCP vulnerabilities become more dangerous because agents can be tricked into calling tools on attacker-controlled inputs without direct network access to the server.

Why it matters

• MCP is rapidly becoming the default integration layer for agents; insecure servers turn AI assistants into a delivery path for classic AppSec attacks.
• Prompt injection makes exposure wider than normal web apps: the attacker can hide payloads in docs, tickets, or files the agent reads.
• Enterprises adopting MCP need AppSec-style controls, not just LLM safety filters.

What to do

• Threat model MCP as application infrastructure: enforce auth, input validation, and output encoding on every tool endpoint.
• Harden tool execution: eliminate shell-outs, sanitize arguments, and use allowlists for file paths and URLs.
• Instrument prompt-to-tool traces: log tool invocations with inputs so injection attempts are detectable.
• Patch known MCP CVEs: verify whether your MCP servers inherit issues from popular reference implementations.

Links

• Endor Labs: Classic Vulnerabilities Meet AI Infrastructure
• GHSA-9xwc-hfwc-8w59 (mcp-server-git argument injection)
• Endor Labs: CVE-2025-53967 in Framelink Figma MCP Server
• Imperva analysis of Framelink MCP RCE