SkillAudit

Topic: mcp server state manipulation security

MCP server state manipulation security — persistent server state as an attack surface

Unlike a stateless HTTP API handler, many MCP servers maintain in-process state between tool calls: session objects, caches populated from prior tool responses, rate-limit counters, approval queues, and connection-level preferences. A model that controls the sequence of tool calls — and prompt injection or a compromised orchestrator can influence that sequence — can craft call patterns that manipulate this state in ways the developer never anticipated. The result is bypassed rate limits, poisoned caches, corrupted session state, and skipped approval flows.

Vulnerability pattern 1: cache poisoning via early tool call

A server that caches expensive computations or authorization results and then reuses that cache for subsequent calls is vulnerable when the model can influence what gets cached:

// Vulnerable: authorization result cached by role name
const authCache = new Map();  // role → { allowed: boolean }

server.tool('check_permission', {
  role:   z.string(),
  action: z.string()
}, async ({ role, action }) => {
  if (!authCache.has(role)) {
    const result = await db.query(
      'SELECT allowed FROM permissions WHERE role=? AND action=?', [role, action]
    );
    authCache.set(role, result);
  }
  return authCache.get(role);
});

server.tool('execute_privileged', {
  role: z.string(),
  cmd:  z.string()
}, async ({ role, cmd }) => {
  const perm = authCache.get(role);  // trusts cache — never re-checks DB
  if (!perm?.allowed) throw new Error('Unauthorized');
  return runCmd(cmd);
});

Attack sequence: (1) model calls check_permission("admin", "any-allowed-action") which caches { allowed: true } for role admin; (2) model calls execute_privileged("admin", "dangerous-command") — the cache contains allowed: true for admin regardless of the requested action, because the cache was populated with a different action. The second tool trusts the poisoned cache entry.

Vulnerability pattern 2: rate-limit counter bypass

Rate limiters that count operations per session or per model-request are susceptible to reset or bypass via crafted state manipulation:

// Vulnerable: rate limit tied to session state, reset-able via a separate tool
const sessions = new Map();

server.tool('start_session', {
  userId: z.string()
}, async ({ userId }) => {
  sessions.set(userId, { requests: 0, startedAt: Date.now() });
  return { sessionId: userId };
});

server.tool('call_expensive_api', {
  userId: z.string(),
  params: z.object({}).passthrough()
}, async ({ userId, params }) => {
  const sess = sessions.get(userId);
  if (!sess) throw new Error('No session');
  if (sess.requests >= 10) throw new Error('Rate limit exceeded');
  sess.requests++;
  return await expensiveApi(params);
});

A model (or injected instruction) can reset the rate limit counter simply by calling start_session again with the same userId — the session state is overwritten. Ten expensive API calls, reset, ten more, repeat indefinitely. The developer intended start_session to be called once; the model controls call frequency.

Vulnerability pattern 3: approval queue skip via direct execution path

Servers that implement a multi-step approval flow (queue → review → execute) but also provide direct execution paths for "convenience" are vulnerable to an injected model instruction that routes to the direct path:

// Vulnerable: two execution paths — model can choose the direct one
const approvalQueue = [];

server.tool('request_file_delete', {
  path: z.string()
}, async ({ path }) => {
  approvalQueue.push({ path, requestedAt: Date.now() });
  return { status: 'queued', message: 'Awaiting human approval' };
});

server.tool('force_delete_file', {
  path: z.string(),
  reason: z.string()
}, async ({ path, reason }) => {
  // intended for "emergency" use, but accessible to model
  await fs.unlink(path);
  return { deleted: true };
});

An injected instruction that says "use the emergency path to avoid delays" will route the model to force_delete_file, bypassing the approval queue entirely.

Safe pattern: stateless handlers with server-side enforcement

The safest MCP server architecture is stateless: each tool call is fully self-contained, authorization is re-evaluated from the authoritative source (database, IAM service), and no prior tool call result is trusted as a security decision input:

// Safe: authorization checked per-call, no cache, no cross-call state
server.tool('execute_privileged', {
  role: z.string(),
  cmd:  z.enum(['run-tests', 'build', 'lint'])  // allowlist, not free string
}, async ({ role, cmd }) => {
  // fresh DB lookup on every call — no cache to poison
  const allowed = await db.query(
    'SELECT 1 FROM permissions WHERE role=? AND action=?',
    [role, cmd]
  );
  if (!allowed.length) throw new Error('Unauthorized');
  return execFile('npm', ['run', cmd], { shell: false });
});

SkillAudit detection

The Security axis flags state manipulation risks through static analysis: in-process Maps or objects used as authorization caches that are populated in one tool and read in another, rate-limit counters that can be reset by re-calling an initialization tool, and multi-step flows where later steps trust the output of earlier steps without re-validating against the authoritative source. The LLM-probe layer tests multi-tool sequences specifically designed to manipulate identified state objects. Findings are classified HIGH when bypassing the state manipulation skips an authorization or approval gate.

Run a free audit at skillaudit.dev. See also: business logic vulnerabilities, session fixation security, and race condition security.