The first large-scale MCP security study: what the analysis of 1,899 publicly accessible servers revealed

However, as popularity grows, questions about security naturally arise. A team of researchers from Queen's University (Canada) conducted the first large-scale empirical study on the security and maintainability of MCP servers, the results of which were published in June 2025.

Scope and Methodology of the Study

The study covered an impressive sample of 1,899 open-source MCP servers, including 343 official repositories from Anthropic and 1,556 projects found through GitHub mining. After filtering and metric verification, 583 repositories were selected for final analysis.

The research methodology included a three-level approach:

SonarQube analysis — a well-known tool (some don't consider it a security tool, but still), which focused on four levels of vulnerability severity: Blocker, Critical, Major, and Minor. The analysis covered traditional security issues, code smells, and bugs.

Specialized analysis using mcp-scan — a tool specifically developed to identify MCP-specific security risks, including the issue of tool poisoning (which we will discuss later). However, this tool turned out to be technically complex to use: out of 83 servers in the representative sample, only 60 scans were initially successful.

LLM clustering — using GPT-4o, GPT-4o mini, and Gemini 2.5 Pro to synthesize and categorize the results of static analysis, which made it possible to identify high-level vulnerability patterns.

Unexpectedly strong indicators of the entire ecosystem’s resilience.

Contrary to concerns about the immaturity of the young ecosystem, MCP servers demonstrated impressive health and development resilience. 42.2% of servers have already implemented continuous integration (CI), which is higher than both general open-source projects (40.3%) and ML projects (37.2%). Build success rate is 90%, indicating a high quality of the codebase.

Development activity is especially noteworthy: MCP servers show a median commit frequency of 5.5 per week compared to 2.5 commits per week for classic open-source projects. Mined MCP servers (found through GitHub) receive 101.4% more commits than community servers and exceed official servers by 56% in lines of code.

The landscape of security threats discovered by the researchers.

The analysis revealed unique threat characteristics in MCP projects that are radically different from those in traditional software ecosystems.

Credential Exposure as the main threat

3.6% MCP servers suffer from credential leakage issues — this is the most common vulnerability in projects. In comparison, the top issue in PyPI packages is Cross-Site-Scripting (XSS), while in NPM, it's malicious packages. This specificity is explained by the nature of MCP servers: they often act as intermediaries between Foundation Models and external systems, handling API keys, user credentials, and other sensitive information.

Unique Vulnerability Patterns

The study identified 8 different vulnerability patterns, with only 2 of them (Authentication Issues and User Input Validation Issues) overlapping with the top issues in PyPI packages, and none being a priority for the NPM ecosystem.

The full picture of vulnerability distribution is as follows:

- Credential Exposure: 3.6% of servers (CWE-259, CWE-798)

- Lack of Access Control: 1.4% of servers (CWE-306, CWE-284)

- CORS Issues: 1.2% of servers (CWE-345)

- Improper Resource Management: 1.0% of servers (CWE-770)

- Transport Security Issues: 0.7% of servers (CWE-295, CWE-297, CWE-327)

- Authentication Issues: 0.5% of servers (CWE-347)

- Insecure File Creation: 0.2% of servers (CWE-377)

- Input Validation Issues: 0.2% of servers (CWE-611)

In total, 7.2% of MCP servers contain at least one security vulnerability, with half of them affected by credential exposure.

Tool Poisoning: A New Class of Threats

A particular concern is the discovery of tool poisoning in 5.5% of MCP servers — this is even more prevalent than credential exposure. Tool poisoning is an MCP-specific attack where attackers can manipulate the base model, causing it to use compromised tools.

A classic example of such an attack is the injection of malicious code into the .bashrc file through an MCP server with file write permissions, creating a backdoor used by attackers. The ability of mcp-scan to detect such a high level of critical vulnerability highlights the likelihood of numerous hidden issues that modern analysis tools cannot detect.

Code Quality and Maintainability Issues

The study identified serious code quality issues. 66% of MCP servers exhibit "code smells" — indicators of potential problems in the architecture and implementation of code, which may complicate the maintenance and development of projects in the long term.

Additionally, 14.4% of servers contain 10 typical bug patterns characteristic of open-source projects.

Limitations of Existing Analysis Tools

The study revealed critical limitations of modern security tools when working with MCP servers. Traditional tools like SonarQube detect significantly fewer vulnerabilities in MCP servers (obviously) compared to the PyPI and NPM ecosystems, where 46% of Python packages and 40% of JavaScript packages contain known vulnerabilities.

mcp-scan, although capable of detecting tool poisoning, misses other critical security issues such as excessive permission requirements and unsafe default behaviors. For example, the server apple-notes-mcp requires full disk access on macOS to interact with the Apple Notes SQLite database, which presents a significant security risk.

Conclusions and Recommendations

The results of the first large-scale security study of MCP present a complex picture: on one hand, the ecosystem shows healthy development and activity indicators, but on the other hand, it faces unique security challenges that require a specialized approach.

---

Source: [Model Context Protocol (MCP) at First Glance: Studying the Security and Maintainability of MCP Servers](https://arxiv.org/html/2506.13538v2) — Queen's University, June 2025