The most popular trusted model context protocol (MCP) servers on the Web today contain severe cybersecurity vulnerabilities.
The Internet of AI forming all around us is growing larger and more unwieldy by the day. Even just a few years ago, AI apps and services were contained and prescribed. Talking to ChatGPT was like being in a closed room with a smart person — whatever happened there didn't really affect the rest of the world.
Today autonomous agents have infected every software-as-a-service (SaaS) platform, performing largely unmonitored actions that spread data and cyberattacks beyond where their users realize. And even simple chatbot conversations are no longer so simple anymore, because large language models (LLMs) can connect to external data sources using MCP servers.
In the rush to get them to market — and in fear of overly constricting their users — connected AI solutions like MCP servers have often shipped with inadequate guardrails. When Anthropic first created the MCP open standard, it left security up to the user. Now, more than a year later, even the most reliable, brand name MCP servers are rife with security holes, according to security researchers.
On Jan. 20, Cyata researcher Yarden Porat revealed an exploit chain that weaponizes Anthropic's own Git and filesystem MCP servers to achieve remote code execution (RCE). Meanwhile, BlueRock principal solutions engineer David Onwukwe disclosed a severe server-side request forgery (SSRF) vulnerability in Microsoft's MarkItDown MCP server. Worse: When they analyzed more than 7,000 MCP servers, they found that the same SSRF exposure might be latent in around 36.7% of all MCP servers on the Web today.
Related:AI Agents Undermine Progress in Browser Security
Together these findings paint a picture of an overly pliant, dangerously underestimated threat vector.
MCP Servers Carry SSRF Risks
Microsoft's MarkItDown MCP server is one of the most popular around, as evidenced by its more than 85,000 stars and 5,000 forks on GitHub. It's utterly simple, too: little more than a conversion tool for the world of large language models (LLMs), taking a variety of file types and converting them into Markdown for LLMs. What's the harm in that?
Well, to begin with, the user needs to indicate where the file they want to convert is located. So they feed MarkItDown a URI, and MarkItDown fetches whatever's there. It turns out, though, that MarkItDown doesn't in any way restrict this user input. "It could be a file that is internal; it could be any other file that is accessible via the network, to that given server, [or] any other type of arbitrary call that you would want to make," explains Harold Byun, chief product officer at BlueRock.
... continue reading