MCP Server Prompt Injection

high Web App Scanning Plugin ID 114928

Synopsis

MCP Server Prompt Injection

Description

Model Context Protocol (MCP) Server Prompt Injection occurs when malicious actors use tools response to inject malicious prompts to the calling LLM through the MCP client. This can lead to the execution of unauthorized commands, data corruption, or the deployment of malicious tools. Such vulnerabilities are particularly dangerous in AI development environments, where malicious tools can compromise the integrity of the development process and lead to further exploitation. This detection is included in the AI and LLM category.

Solution

Review MCP server tools behaviour to ensure that they do not return malicious configurations or commands. Implement strict validation and sanitization of tool metadata to prevent the execution of unauthorized commands or sensitive action. Regularly audit MCP server configurations and tools to detect and mitigate potential injection attempts.

See Also

https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks

https://www.tenable.com/blog/mcp-prompt-injection-not-just-for-evil

Plugin Details

Severity: High

ID: 114928

Type: remote

Published: 7/31/2025

Updated: 7/31/2025

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 7.5

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 20

OWASP: 2010-A4, 2013-A4, 2017-A5, 2021-A3

WASC: Improper Input Handling

CAPEC: 10, 101, 104, 108, 109, 110, 120, 13, 135, 136, 14, 153, 182, 209, 22, 23, 230, 231, 24, 250, 261, 267, 28, 3, 31, 42, 43, 45, 46, 47, 473, 52, 53, 588, 63, 64, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9

DISA STIG: APSC-DV-002560

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-5.1.3

PCI-DSS: 3.2-6.5