Anthropic Highlights MCP Vulnerabilities Developers Must Address, Composio Reports

Anthropic’s Model Context Protocol (MCP) has quickly become the de‑facto lingua franca for plugging LLMs into external tools, yet the security posture of most deployments remains precarious. According to Composio’s deep‑dive of MCP implementations, more than 70 % of live servers still run with “outdated security configurations,” exposing them to data theft, credential hijacking and remote code execution (Composio). The report flags three systemic flaws that persist despite the protocol’s June‑2025 spec update: tool‑description injection, weak or absent authentication, and supply‑chain contamination of MCP packages.

The first flaw—tool‑description injection—arises because MCP servers convey tool capabilities to the model via natural‑language metadata. Composio notes that this description is fed directly into the LLM’s prompt without sanitisation, allowing a malicious actor to embed harmful instructions that the model will then execute as if they were legitimate tool calls. Real‑world incidents such as the “Supabase MCP Lethal Trifecta Attack” and the “mcp‑remote Command Injection” demonstrate how an attacker can manipulate these descriptions to trigger arbitrary code paths on the host server (Composio). The June‑2025 spec attempts to mitigate the risk by recommending “no token passthrough and enforced user consent,” but Composio observes that most developers ignore these guidelines, leaving the injection vector wide open.

Authentication gaps compound the problem. VentureBeat’s coverage of the Clawdbot demonstration highlighted that many public MCP endpoints accept unauthenticated calls, effectively treating every request as a trusted user (VentureBeat). Composio corroborates this, stating that “OAuth is often skipped or poorly implemented” and that “many public MCP servers don’t verify requests or protect user sessions.” In practice, this means an attacker can enumerate available tools, invoke them, and harvest sensitive data without presenting any credentials. The report cites the “Asana Data leak” as a case where an unauthenticated MCP endpoint exposed corporate project information to the internet.

Supply‑chain risk is another under‑appreciated threat. MCP libraries are distributed via common package managers such as npm and Docker, and Composio warns that “most people install MCP packages without realizing how easily they can be tampered with.” A single poisoned update can inject malicious code into every downstream deployment, as illustrated by the “Accessing private repositories via GitHub MCP” incident, where a compromised package granted attackers read‑only access to private codebases. The June‑2025 spec introduces best‑practice recommendations for signed releases and integrity checks, yet the report finds that “most implementations simply ignore them,” leaving the ecosystem vulnerable to supply‑chain attacks.

The scale of the exposure is staggering. Composio estimates that “thousands of MCP servers are publicly accessible, with thousands more in private deployments,” many of which operate in high‑stakes sectors such as finance, healthcare and customer support. The rapid adoption by major cloud providers—Microsoft, OpenAI, Google and Amazon—has outpaced the development of robust security controls, creating a “dangerous gap between adoption and protection” (Composio). As a result, a single breach in an MCP‑enabled service could cascade across multiple enterprises that rely on the same toolset.

Developers looking to harden their MCP deployments must treat the three vulnerabilities as a checklist rather than an afterthought. Composio advises: (1) sanitize tool descriptions and enforce strict schema validation before injecting them into model prompts; (2) implement full OAuth flows with token verification and reject unauthenticated calls; and (3) lock down the supply chain by using signed package releases, verifying checksums, and monitoring for anomalous updates. While the new spec provides a blueprint, the onus remains on implementers to translate those guidelines into concrete safeguards, or risk becoming the next headline in the growing catalog of MCP‑related security failures.