arXiv: Viper-MCP Finds 106 0-Day Vulnerabilities in MCP Servers
AI relevance: MCP servers expose privileged operations — shell execution, file-system access, network calls — directly to LLM agents, so taint-style vulnerabilities in their tool handlers create a direct path from natural-language input to remote code execution.
Key Findings
- Researchers built Viper-MCP, the first end-to-end automated vulnerability auditing framework for MCP servers that both detects taint-style vulnerabilities and dynamically confirms exploitability via concrete proof-of-concept prompts.
- Scanned 39,884 real-world open-source MCP server repositories across GitHub, finding vulnerabilities in projects ranging from simple file-system wrappers to complex integrations with Docker daemons and cloud databases.
- Discovered 106 0-day vulnerabilities, all confirmed through end-to-end exploit traces, with 67 CVE IDs assigned to date.
- The framework uses two novel techniques: an anchor-query pass that maps taint alerts to specific MCP tool handlers, and a feedback-driven prompt evolution mechanism with dual-mutator scheduling that iteratively refines natural-language prompts toward vulnerable sinks.
- One highlighted finding: a root-privilege RCE in Bytebot (10.8k GitHub stars), a popular computer-use agent, where a crafted file-path value injected through natural language spawns a reverse shell with full root access inside its Docker container.
- All findings were responsibly disclosed to affected developers.
Why It Matters
Unlike traditional web injection flaws where input enters through defined HTTP parameters, MCP introduces an extra indirection: the attacker crafts a natural-language prompt, the LLM autonomously selects an MCP tool and populates arguments, and the server-side handler propagates those into dangerous sinks like exec, fetch, or fs.readFile. Neither the attacker nor the agent explicitly invokes the vulnerable function, making these flaws harder to detect but equally severe. Static analysis tools produce unconfirmed alerts; dynamic tools lack code-level guidance. Viper-MCP bridges both gaps by confirming that a real LLM agent can be steered through natural language alone to trigger the vulnerability.
What to Do
- Audit every MCP server in your stack for taint-style vulnerabilities: sanitize and validate all tool-handler inputs before they reach
exec,fetch, or file-system operations. - Run Viper-MCP (code will be released as an anonymous artifact) against your own MCP server codebase to identify unvalidated taint paths.
- Apply strict input validation and least-privilege sandboxing to MCP tool handlers, especially those wrapping shell commands or network requests.
- Monitor for anomalous tool invocation patterns that suggest an agent is being steered toward vulnerable handlers.