Security Holes in MCP Servers and How To Plug Them

Security Holes in MCP Servers and How To Plug Them

Model Context Protocol (MCP) turns one year old on November 25, 2025, yet its security vulnerabilities remain a critical concern. The “S” in MCP—intended to stand for “secure”—has instead become a punchline as organizations grapple with unauthenticated access and lack of rate limiting in stdio and StreamableHTTP servers.

Why This Matters

MCP servers, whether using stdio (local, uncached) or StreamableHTTP (external), are inherently insecure without a gateway. stdio servers bypass Kubernetes Gateways entirely, leaving them open to misuse. StreamableHTTP servers, like GitHub Copilot’s, operate as black boxes with unknown security protocols. Without proper authentication and tool control, organizations risk exposing sensitive operations, with potential costs measured in data breaches and compliance failures.

Key Insights

• “_stdio MCP Servers lack gateway integration, exposing them to unauthenticated access” (context).
• “StreamableHTTP relies on external servers with unknown security protocols” (context).
• “Solo Enterprise used by organizations to secure MCP with RBAC and JWT” (context).

Working Example

# Deploy MCP Server and Service
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mcp-website-fetcher
  namespace: default
spec:
  selector:
    matchLabels:
      app: mcp-website-fetcher
  template:
    metadata:
      labels:
        app: mcp-website-fetcher
    spec:
      containers:
      - name: mcp-website-fetcher
        image: ghcr.io/peterj/mcp-website-fetcher:main
        imagePullPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  name: mcp-website-fetcher
  namespace: default
spec:
  selector:
    app: mcp-website-fetcher
  ports:
  - port: 80
    targetPort: 8000
    appProtocol: kgateway.dev/mcp

# Deploy Backend for agentgateway
apiVersion: gateway.kgateway.dev/v1alpha1
kind: Backend
metadata:
  name: mcp-backend
  namespace: gloo-system
spec:
  type: MCP
  mcp:
    targets:
    - name: mcp-target
      static:
        host: mcp-website-fetcher.default.svc.cluster.local
        port: 80
        protocol: StreamableHTTP

# Deploy Gateway with agentgateway-enterprise
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: agentgateway
  namespace: gloo-system
spec:
  gatewayClassName: agentgateway-enterprise
  listeners:
  - name: http
    port: 8080
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: Same

# Apply JWT-based traffic policy
apiVersion: gloo.solo.io/v1alpha1
kind: GlooTrafficPolicy
metadata:
  name: jwt
  namespace: gloo-system
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: agentgateway
  glooJWT:
    beforeExtAuth:
      providers:
        selfminted:
          issuer: solo.io
          jwks:
            local:
              key: '{"keys":[{"kty":"RSA","kid":"solo-public-key-001","use":"sig","alg":"RS256","n":"AOfIaJMUm7564sWWNHaXt_hS8H0O1Ew59-nRqruMQosfQqa7tWne5lL3m9sMAkfa3Twx0LMN_7QqRDoztvV3Wa_JwbMzb9afWE-IfKIuDqkvog6s-xGIFNhtDGBTuL8YAQYtwCF7l49SMv-GqyLe-nO9yJW-6wIGoOqImZrCxjxXFzF6mTMOBpIODFj0LUZ54QQuDcD1Nue2LMLsUvGa7V1ZHsYuGvUqzvXFBXMmMS2OzGir9ckpUhrUeHDCGFpEM4IQnu-9U8TbAJxKE5Zp8Nikefr2ISIG2Hk1K2rBAc_HwoPeWAcAWUAR5tWHAxx-UXClSZQ9TMFK850gQGenUp8","e":"AQAB"}]}'

Practical Applications

• Use Case: Enterprise AI teams using agentgateway to enforce RBAC on MCP tools.
• Pitfall: Assuming default MCP configurations are secure, leading to unauthenticated access.

References:

• https://dev.to/thenjdevopsguy/security-holes-in-mcp-servers-and-how-to-plug-them-d61