Line-jumping is a prompt-injection variant where an attacker injects control characters, unexpected newlines, or specially crafted tokens into an MCP input (tool manifest, example prompts, or tool output) so the LLM interprets or executes content out of its intended sequence. By forcing the model to "jump" to attacker-placed lines (hidden instructions, alternate sections, or command-like fragments), the adversary induces the model to follow malicious directives that were meant to remain inert or contextual. This breaks assumptions about linear parsing and can lead to unauthorised actions, data leakage, or command execution via tools.

Remediation

• Canonicalise and normalise all tool manifests and inputs: collapse excessive whitespace, strip control/non-printable characters, and normalise line endings before ingestion.
• Enforce strict manifest schemas and reject fields containing control characters or unusually long whitespace blocks.
• Surface raw (canonical) manifest text to approvers highlighting non-printables and line breaks; require explicit approval for any unusual content.
• Require signed manifests and verify provenance so malicious on-the-fly edits cannot be trusted.
• Run tools and any text parsing in sandboxed runtimes and apply runtime mediation for any operations that originate from user-supplied or multi-line content.