MCP Proxy
Security architecture and validation patterns for brokered MCP access, server registration, tool isolation, and integration visibility.
Command injection through untrusted MCP configuration.
Weak identity binding between transport endpoints and real users.
Silent supply chain inheritance from reference implementations and SDK defaults.
Built For
Teams exposing MCP servers to internal assistants or external customers.
Platform owners standardizing server registration and policy boundaries.
Security teams responding to fast-moving MCP ecosystem vulnerabilities.
Use Cases
Introduce brokered, inspectable access between agents and MCP servers.
Reduce direct STDIO and arbitrary command exposure in server registration flows.
Capture policy, audit, and isolation decisions in one control plane.
Related Content
Breaking MCP Authentication: How a Single Line of Code Exposes an Entire Legal Database
Eresus Security discovers a critical authentication bypass in yargi-mcp, a popular open-source MCP server for Turkish legal databases. A single...
Zero-Day Analysis: Authenticated SSRF in n8n-mcp (GHSA-4ggg-h7ph-26qr)
Eresus Security Research Team discovered a critical Authenticated SSRF vulnerability in n8n-mcp. Learn how the x-n8n-url header was exploited to access...
Securing Agentic AI: Where MLSecOps Meets DevSecOps
Understanding Agentic AI systems that go beyond traditional AI models by acting autonomously with limited human oversight.
Related Advisories
Unauthenticated Remote Code Execution via Arbitrary Command Injection in MCPHub Server Registration
MCPHub accepts attacker-controlled command and args values during server registration and spawns them through STDIO, enabling full remote code execution on the host.
Authentication Bypass via skipAuth Configuration Grants Full Admin Access in MCPHub
When skipAuth is enabled, MCPHub bypasses both authentication and admin authorization checks, allowing any unauthenticated user to access privileged API functionality.
SSE Endpoint Accepts Arbitrary Username from URL Path, Enabling User Impersonation in MCPHub
MCPHub accepts an attacker-controlled username from the SSE URL path and creates internal user context without authenticating or validating the account, enabling user impersonation.
Frequently Asked Questions
Why focus on proxy architecture?
Because MCP security often fails at the boundary between agents, transport, configuration, and tool execution. A proxy helps make that boundary explicit.
Can this help with third-party MCP servers?
Yes. It is especially useful when you need inspection, policy, and containment around untrusted or fast-changing servers.
Need help validating this attack surface?
Talk with Eresus Security about scoped testing, threat modeling, and remediation priorities for this workflow.
Talk to Eresus