This study addresses the critical gap in systematic security evaluations of open-source Model Context Protocol (MCP) servers, which hinders the reliable deployment of large language model (LLM) agents in production environments. The work presents the first large-scale static code analysis of widely used open-source MCP servers, identifying security weaknesses through Common Weakness Enumerations (CWEs) and mapping them to real-world attack patterns via MITRE CAPEC. It introduces a novel, multidimensional risk assessment framework tailored to the MCP ecosystem, integrating exploitability likelihood and potential impact. The analysis uncovers numerous high-risk vulnerabilities that severely compromise system confidentiality, integrity, and availability, underscoring the urgent need for security-by-design principles and establishing a structured benchmark for future security assessments within the MCP ecosystem.

Model Context Protocol (MCP) servers have rapidly emerged over the past year as a widely adopted way to enable Large Language Model (LLM) agents to access dynamic, real-world tools. As MCP servers proliferate and become easy to adopt via open-source releases, understanding their security risks becomes essential for dependable production agent deployments. Recent work has developed MCP threat taxonomies, proposed mitigations, and demonstrated practical attacks. However, to the best of our knowledge, no prior study has conducted a systematic, large-scale assessment of weaknesses in open-source MCP servers. Motivated by this gap, we apply static code analysis to identify Common Weakness Enumeration (CWE) weaknesses and map them to common attack patterns and threat categories using the MITRE Common Attack Pattern Enumerations and Classifications (CAPEC) to ground risk in real-world threats. We then introduce a risk-assessment framework for the MCP landscape that combines these threats using a multi-metric scoring of likelihood and impact. Our findings show that many open-source MCP servers contain exploitable weaknesses that can compromise confidentiality, integrity, and availability, underscoring the need for secure-by-design MCP server development.