MCP security nightmare: malicious code and data loss
The widespread Model Context Protocol opens up a large number of points of attack on users' systems. Docker has published an overview.
(Image: cybrain/Shutterstock.com)
The Docker container platform warns of security risks that arise from the use of MCP sources and give attackers easy access to files, databases, networks, and secrets. In addition, the perpetrators can send far-reaching commands and inject malicious code.
The blog post criticizes the Model Context Protocol (MCP), which was introduced by Anthropic last year and is now widely used, as being designed for convenience rather than security. “It has become a security nightmare, exposing organizations to the risk of data loss, system compromise, and supply chain attacks.” The text emphasizes that these assumptions are not based on speculation, but on the “analysis of thousands of MCP servers that has uncovered systematic vulnerabilities in six critical attack vectors”. As protection, Docker recommends the in-house catalog of hardened MCP images, among other things.
Malicious code via OAuth
In fact, the blog entry backs up its assumptions with many references to studies by security companies that have investigated MCP. The first problem cited by Docker is malicious OAuth processes that can inject malicious code into clients. According to the study cited, 43 percent of the servers analyzed are affected by this. One example was a now-fixed issue in the widely used mcp-remote package, which allows clients to log in to remote MCP servers.
Other issues cited by Docker include the infiltration and execution of commands, unrestricted network access, access to the file system, misuse of tools, and the discovery of secrets. These may be found in improperly implemented environment variables, log files, or process lists.
Users should always check MCP sources carefully and also monitor which rights they require and which resources they access during operation. For open sources, for example, you can search for keywords such as eval() or exec(). The servers should also not require credentials as environment variables.
(Image:Â Titima Ongkantong/Shutterstock)
heise devSec 2025 will take place in Regensburg on September 30 and October 1. The conference, organized by iX, heise Security and dpunkt.verlag, will focus on topics such as threat modeling, software supply chain, OAuth, ASPM, Kubernetes and the influence of GenAI on security.
The author of the blog post has announced that he will publish further articles on this topic.
(who)
