This work addresses the security risks posed by bidirectional data flows in the Model Context Protocol (MCP), which connects large language models to external tools—a threat poorly handled by existing analysis tools. The paper introduces MCP-BiFlow, the first framework to systematically model bidirectional vulnerabilities in MCP. It enables static detection of unsafe data flows on both request and response sides through protocol-aware entry-point recovery, customized taint propagation rules, and path-sensitive interprocedural analysis. Evaluated on 32 known vulnerabilities, MCP-BiFlow achieves a recall rate of 93.8% (30 out of 32), substantially outperforming mainstream tools such as CodeQL. Furthermore, it uncovers 118 confirmed vulnerable paths across 15,452 real-world repositories, demonstrating the widespread prevalence of such risks.

Model Context Protocol (MCP) have quickly become the interface layer between LLM agents and external tools, yet they also introduce unsafe data flows that existing analyzers handle poorly. Vulnerabilities manifest in two directions: requester-controlled arguments may propagate to sensitive operations, while untrusted external or sensitive internal data may surface through MCP-visible outputs and subsequently influence host or model behavior. Accurate detection is complicated by the heterogeneous registration and dispatch patterns MCP servers employ, the need for MCP-specific taint semantics, and the fact that bugs often only materialize along complete tool-scoped execution paths. We present MCP-BiFlow, a bidirectional static analysis framework built around MCP-aware entrypoint recovery, protocol-specific taint modeling, and interprocedural propagation analysis. Against a benchmark of 32 confirmed MCP vulnerability cases, MCP-BiFlow identifies 30 (93.8% recall), substantially outperforming CodeQL, Semgrep, Snyk Code, and MCPScan. Across 15,452 real-world MCP server repositories, MCP-BiFlow surfaces 549 overlap-compressed candidate clusters; manual review confirms 118 vulnerability paths in 87 servers, establishing unsafe propagation as a recurring failure mode that resists detection without protocol-aware recovery of both request-side and return-side flows.