>

AuthZed recognized as a 2025 Rising Star by KuppingerCole

 [Read Report]

A Timeline of Model Context Protocol (MCP) Security Breaches

/assets/team/sohan-maheshwar.jpg
Sohan Maheshwar
November 25, 2025|7 min read

MCP Article #1:

Timeline of MCP Breaches

AI fundamentally changes the interface, but not the fundamentals of security. Read on to find out why

It feels like eons ago when the Model Context Protocol (MCP) was introduced (it was only in November 2024 lol)

It promised to become the USB-C of AI agents — a universal bridge for connecting LLMs to tools, APIs, documents, emails, codebases, databases and cloud infrastructure. In just months, the ecosystem exploded: dozens of tool servers, open-source integrations, host implementations, and hosted MCP registries began to appear.

As the ecosystem rapidly adopted MCP, it presented the classic challenge of securing any new technology: developers connected powerful, sensitive systems without rigorously applying established security controls and fundamental principles to the new spec. By mid-2025, the vulnerabilities were exposed, confirming that the new AI-native world is governed by the same security principles as traditional software.

Below is the first consolidated timeline tracing the major MCP-related breaches and security failures - what happened, what data was exposed, why it happened, and what they reveal about the new threat surface LLMs bring into organisations.

Timeline:

Apr - Jun 2025

1. April 2025 – WhatsApp MCP Exploited: Chat-History Exfiltration

  • What happened: Invariant Labs demonstrated that a malicious MCP server could silently exfiltrate a user’s entire WhatsApp history by combining “tool poisoning” with a legitimate whatsapp-mcp server in the same agent. A “random fact of the day” tool morphed into a sleeper backdoor that rewrote how WhatsApp messages are sent. Invariant Labs Link

  • Data at risk & why: Once the agent read the poisoned tool description, it happily followed hidden instructions to send hundreds or thousands of past WhatsApp messages (personal chats, business deals, customer data) to an attacker-controlled phone number – all disguised as ordinary outbound messages, bypassing typical Data Loss Prevention (DLP) tooling.

2. May 2025 – GitHub MCP “Prompt Injection Data Heist”

  • What happened: Invariant Labs uncovered a prompt-injection attack against the official GitHub MCP server: a malicious public GitHub issue could hijack an AI assistant and make it pull data from private repos, then leak that data back to a public repo. Invariant Labs link

  • Data breached & why: With a single over-privileged Personal Access Token wired into the MCP server, the compromised agent exfiltrated private repository contents, internal project details, and even personal financial/salary information into a public pull request. The root cause was broad PAT scopes combined with untrusted content (issues) in the LLM context, letting a prompt-injected agent abuse legitimate MCP tool calls.

3. June 2025: Asana MCP Server Bug

  • What happened: Asana discovered a bug in its MCP-server feature that could allow data belonging to one organisation to be seen by other organisations using their system. Upguard link.

  • Data breached & why: Projects, teams, tasks and other Asana objects belonging to one customer potentially accessible by a different customer. This was caused by a logic flaw in the access control of their MCP-enabled integration (cross-tenant access not properly isolated).

4. June 2025 – Anthropic MCP Inspector RCE

  • What happened: Researchers found that Anthropic’s MCP Inspector developer tool allowed unauthenticated remote code execution via its inspector–proxy architecture. An attacker could get arbitrary commands run on a dev machine just by having the victim inspect a malicious MCP server, or even by driving the inspector from a browser. CVE Link

  • Data at risk & why: Because the inspector ran with the user’s privileges and lacked authentication while listening on localhost / 0.0.0.0, a successful exploit could expose the entire filesystem, API keys, and environment secrets on the developer workstation – effectively turning a debugging tool into a remote shell. VSec Medium Link

Jul - Sept 2025

1. July 2025 – mcp-remote OS Command Injection

  • What happened: JFrog disclosed CVE-2025-6514, a critical OS command-injection bug in mcp-remote, a popular OAuth proxy for connecting local MCP clients to remote servers. Malicious MCP servers could send a booby-trapped authorization_endpoint that mcp-remote passed straight into the system shell, achieving remote code execution on the client machine. CVE Link

  • Data at risk & why: With over 437,000 downloads and adoption in Cloudflare, Hugging Face, Auth0 and other integration guides, the vuln effectively turned any unpatched install into a supply-chain backdoor: an attacker could execute arbitrary commands, steal API keys, cloud credentials, local files, SSH keys, and Git repo contents, all triggered by pointing your LLM host at a malicious MCP endpoint. Docker Blog

2. August 2025: Anthropic “Filesystem MCP Server” Vulnerabilities

  • What happened: Security researchers found two critical flaws in Anthropic’s Filesystem-MCP server: sandbox escape and symlink/containment bypass, enabling arbitrary file access and code execution. Cymulate Link

  • Data breached & why: Host filesystem access, meaning sensitive files, credentials, logs, or other data on servers could be impacted. The root cause was poor sandbox implementation and insufficient directory-containment enforcement in the MCP server’s file-tool interface.

3. September 2025: Malicious MCP Server in the Wild

  • What happened: A malicious MCP server package masquerading as a legitimate “Postmark MCP Server” was found injecting BCC copies of all email communications (including confidential docs) to an attacker’s server. IT Pro

  • Data breached & why: Emails, internal memos, invoices — essentially all mail traffic processed by that MCP server were exposed. This was due to a supply-chain compromise / malicious package in MCP ecosystem, and the fact that MCP servers often run with high-privilege accesses which were exploited.

Oct - Dec 2025

1. October 2025 – Smithery MCP Hosting Supply-Chain Breach

  • What happened: While researching Smithery’s hosted MCP server platform, GitGuardian found a path-traversal bug in the smithery.yaml build config. By setting dockerBuildPath: "..", attackers could make the registry build Docker images from the builder’s home directory, then exfiltrate its contents and credentials. GitGuardian Blog

  • Data breached & why: The exploit leaked the builder’s ~/.docker/config.json, including a Fly.io API token that granted control over >3,000 apps, most of them hosted MCP servers. From there, attackers could run arbitrary commands in MCP server containers and tap inbound client traffic that contained API keys and other secrets for downstream services (e.g. Brave API keys), turning the MCP hosting service itself into a high-impact supply-chain compromise.

2. October 2025: figma‑developer‑mcp/Framelink MCP Vulnerability

  • What happened: A command-injection flaw was discovered in the Figma/Framelink MCP integration: unsanitised user input in shell commands could lead to remote code execution. The Hacker News Link

  • Data breached & why: Because the integration allowed AI-agents to interact with Figma docs, the flaw could enable attackers to run arbitrary commands through the MCP tooling and access design data or infrastructure. The root cause was the unsafe use of child_process.exec with untrusted input in the MCP server code - essentially a lack of input sanitisation.CVE Link

..And we’re sure there are more to come. We’ll keep this blog updated with the latest in security and data breaches in the MCP world.

Patterns Emerging Across Incidents

Across all these breaches, common themes appear:

1. Local AI dev tools behave like exposed remote APIs

MCP Inspector, mcp-remote, and similar tooling turned into Remote Code Execution (RCE) surfaces simply by trusting localhost connections.

2. Over-privileged API tokens are catastrophic in MCP workflows

GitHub MCP, Smithery, and WhatsApp attacks all exploited overly broad token scopes.

3. “Tool poisoning” is a new, AI-native supply chain vector

Traditional security tools don’t monitor changes to MCP tool descriptions.

4. Hosted MCP registries concentrate risk

Smithery illustrated what happens when thousands of tenants rely on a single build pipeline.

5. Prompt injection becomes a full data breach

The GitHub MCP incident demonstrated how natural language alone can cause exfiltration when MCP calls are available.

Conclusion:

The Model Context Protocol (MCP) presents a cutting-edge threat surface, yet the breaches detailed here are rooted in timeless flaws: over-privilege, inadequate input validation, and insufficient isolation.

AI fundamentally changes the interface, but not the fundamentals of security. To secure the AI era, we must rigorously apply old-school principles of least privilege and zero-trust to these powerful new software components.

As adoption accelerates, organisations must treat MCP surfaces with the same seriousness as API gateways, CI/CD pipelines, and Cloud IAM.

Because attackers already are.

See AuthZed in action

Build delightful, secure application experiences with AuthZed.