VIPER-MCP Scans 40,000 Repos, Finds 106 Zero-Days in MCP Servers
AI relevance: the Model Context Protocol is the standard for connecting tools to AI agents, and VIPER-MCP's discovery of 106 zero-day vulnerabilities across ~40,000 scanned MCP server repositories shows that the tool-connection layer is becoming the largest single attack surface in the agentic AI stack.
Key findings
- VIPER-MCP is a combined static-and-dynamic analysis framework designed to find taint-style vulnerabilities specifically in MCP servers.
- Scanning 39,884 open-source MCP server repositories, VIPER-MCP discovered 106 zero-day vulnerabilities, all confirmed through end-to-end exploit traces.
- 67 CVE IDs have been assigned to date, pinned at the exact vulnerable commits.
- 67 of the 130 servers in the resulting dataset were originally discovered by VIPER-MCP; the remainder came from previously known vulnerable servers.
- The framework demonstrates that taint analysis — a technique long used for web applications — is highly effective against MCP servers, which often pass user-controlled input directly to database queries, shell commands, and API calls.
- This follows other MCP-focused disclosures this month: Akamai found SQL injection in the Apache Doris MCP server, unauthenticated metadata exfiltration in Alibaba's RDS MCP, and a potential takeover in Apache Pinot's MCP — with one vendor declining to patch.
Why it matters
The scale of findings is staggering: 106 confirmed zero-days from a single automated scan. This reveals a systemic problem — MCP servers are being written and deployed without the security review that traditional application servers receive. Because MCP servers are the bridge between AI agents and real-world systems (databases, cloud APIs, file systems), a taint-style vulnerability in an MCP server can give an attacker direct access to an organization's most sensitive infrastructure through the agent's tool calls. The combination of rapid deployment, minimal security review, and high-privilege access makes this the most dangerous class of AI supply-chain vulnerabilities currently known.
What to do
- Audit all MCP servers in your stack against the VIPER-MCP CVE list and the known Akamai disclosures.
- Apply taint-analysis tools to any custom MCP servers you maintain — treat user input flowing to tools as untrusted by default.
- Implement allowlists for which MCP servers an agent can connect to, with signed clearance assertions where possible.
- Run MCP servers in sandboxed environments with least-privilege access to backend systems.