MCP Protocol Tool Poisoning via Malicious Server Registration

Researchers disclosed a vulnerability in the Model Context Protocol where a malicious MCP server can register tools with descriptions containing hidden instructions that override the agent's system prompt, enabling arbitrary action execution.

An attacker hosts a malicious MCP server and tricks the user or agent into connecting to it. The tool descriptions contain prompt injection payloads that are processed by the LLM as trusted instructions.

Any MCP-enabled agent framework including Claude Desktop, Cursor, and custom MCP integrations that do not validate tool descriptions.

Implement tool description sanitization, restrict MCP server connections to allowlisted endpoints, and add human-in-the-loop confirmation for sensitive tool actions.