CVE-2025-54136 MCPoison: Why Hosted MCP Servers Have a Smaller Attack Surface

CVE-2025-54136 MCPoison: Why Hosted MCP Servers Have a Smaller Attack Surface This week, security researchers disclosed CVE-2025-54136 MCPoison — a vulnerability in self-hosted MCP (Model Context Protocol) servers that allows attackers to inject malicious tools. The attack is simple: An attacker creates a fake MCP tool named screenshot They place it in the local MCP tools directory The Cursor agent (or other LLM client) loads the fake tool without verification The fake tool steals data, credentials, or executes arbitrary code The root cause: self-hosted MCP servers trust local tool names without cryptographic verification. How MCPoison Works A typical self-hosted MCP setup: Cursor IDE ↓ Local MCP Server (runs on your machine) ↓ Loads tools from: ~/.mcp/tools/ ↓ Agent calls: take_screenshot() ↓ Which screenshot tool runs? The real one? Or the fake one in the same directory? The MCP server has no way to verify which tool is authentic. It loads tools by name from the local filesystem. An