MCP Tool Shadowing

Tool shadowing occurs when a malicious MCP tool impersonates a legitimate one by exploiting name or namespace collisions, registry weaknesses, or silent updates. The client believes it is calling the intended trusted tool, but instead invokes a malicious tool that executes unauthorised actions, exfiltrates data, or abuses elevated privileges.

Remediation

Require cryptographic signing of tool manifests and binaries; verify signatures against trusted publishers.
Resolve and pin tools by immutable identifiers (manifest hash, canonical module ID), not just human-readable names.
Use registry allowlists with enforced namespace ownership and alert on ownership changes.
Prompt users with full provenance and permission scopes at install/update; require re-approval for manifest changes.
Sandbox all third-party tools with restricted permissions to limit blast radius.

Metadata

Severity: high
Slug: mcp-tool-shadowing

CWEs

284: Improper Access Control
829: Inclusion of Functionality from Untrusted Control Sphere

OWASP

LLM01:2025: Prompt Injection
LLM03:2025: Supply Chain

Available Labs

Select a language to explore available labs for this vulnerability.

1 Lab

Artificial Intelligence Labs

Artificial Intelligence 1 lab

Explore 1 lab in Artificial Intelligence.

No matching labs found

Try adjusting your language filter.

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.