Threat Catalog
Every detection rule MCPSafe ships. Each entry maps to a CWE and a severity tier, and links to a page with explanation and detection notes. Paste an MCP server on the scan page to run the whole catalog against it.
91 rules · Last updated 2026-05-13T19:10:20Z
| Rule ID | Name | Description | Severity | CWE | Scan type |
|---|---|---|---|---|---|
| MCP-221 | hyperlink-injection-in-output | Flags MCP tool implementations that build hyperlink URLs by | HIGH | CWE-79 | Fast |
| MCP-222 | html-in-tool-output | Flags MCP tool implementations that return HTML content without | HIGH | CWE-79 | Fast |
| MCP-223 | unicode-tag-smuggling | Flags MCP source files that contain code points from the Unicode | HIGH | CWE-1007 | Fast |
| MCP-230 | jwt-verify-disabled | Flags JWT verification anti-patterns: | HIGH | CWE-347 | Fast |
| MCP-231 | jwt-no-expiration | Flags JWT sign / encode calls where the payload literal does not | MEDIUM | CWE-613 | Fast |
| MCP-232 | hardcoded-crypto-key | Flags crypto primitives initialised with a string-literal key: | HIGH | CWE-798 | Fast |
| MCP-233 | tls-verify-disabled | Flags outbound HTTP / network clients with TLS certificate | HIGH | CWE-295 | Fast |
| MCP-234 | session-in-localStorage | Flags any write to `localStorage` or `sessionStorage` whose key | HIGH | CWE-922 | Fast |
| MCP-235 | csrf-missing-on-state-change | Flags files that register a state-changing HTTP route (POST / | MEDIUM | CWE-352 | Deep |
| MCP-240 | unpinned-github-actions | Flags GitHub Actions workflow files (`.github/workflows/*.yml` and | MEDIUM | CWE-1357 | Fast |
| MCP-250 | toctou-file-access | Flags time-of-check-to-time-of-use (TOCTOU) races: a path-existence | MEDIUM | CWE-367 | Deep |
| MCP-251 | pii-in-logs | Flags identifiers whose names indicate PII (email, ssn, phone, | MEDIUM | CWE-532 | Deep |
| MCP-252 | tool-description-budget-bomb | Flags MCP tool registrations whose `description` literal exceeds | MEDIUM | CWE-770 | Fast |
| MCP-260 | confused-deputy-no-per-client-consent | Closes the official MCP security best practices "Confused Deputy" | HIGH | CWE-441 | Deep |
| MCP-261 | redirect-uri-non-exact-match | Closes the official MCP security best practices Confused Deputy | HIGH | CWE-601 | Fast |
| MCP-262 | oauth-state-missing-or-late | Closes the official MCP security best practices Confused Deputy | HIGH | CWE-352 | Deep |
| MCP-263 | consent-cookie-weak | Closes the official MCP security best practices Confused Deputy | MEDIUM | CWE-1004 | Fast |
| MCP-264 | consent-ui-clickjackable | Closes the official MCP security best practices Confused Deputy | MEDIUM | CWE-1021 | Fast |
| MCP-265 | token-passthrough | Closes the official MCP security best practices "Token Passthrough" | HIGH | CWE-345 | Deep |
| MCP-266 | session-not-bound-to-user | Closes the official MCP security best practices "Session Hijacking" | MEDIUM | CWE-384 | Fast |
| MCP-267 | predictable-session-id | Closes the official MCP security best practices Session Hijacking | HIGH | CWE-330 | Fast |
| MCP-268 | local-http-transport-no-auth | Closes the official MCP security best practices "Local MCP Server | HIGH | CWE-306 | Deep |
| MCP-269 | wildcard-oauth-scopes | Closes the official MCP security best practices Scope Minimization | MEDIUM | CWE-272 | Fast |
| MCP-270 | sampling-hidden-prompt-injection | Closes the Unit42 "Resource Theft via Hidden Prompts" attack on | HIGH | CWE-94 | Deep |
| MCP-271 | persistent-injection-via-tool-output | Closes the Unit42 "Conversation Hijacking via Persistent Prompt | MEDIUM | CWE-94 | Deep |
Showing 51–75 of 91 rules
MCPSafe detects every issue in this catalog automatically. Paste an MCP server’s GitHub URL or package name on the scan page.
Scan now