MCP Security: Protect sensitive data with .mcpignore

Model Context Protocol

Model Context Protocol (MCP), or the so-called USB-C port for AI applications, was originally released by Anthropic in November 2024. Since the introduction, companies and developer communities have released MCP servers and applications. Claude Desktop, Cursor, and Cline have added support for connecting MCP servers to their applications. While MCP is an exciting new way for accelerating AI application development, it also makes it easier to put your sensitive data at risk.

Research has found that MCP clients are vulnerable to prompt injection attacks and rug pull attacks. In this blog post, the Cyberhaven Labs team will show how a prompt-injected tool on an MCP server can leverage the shared client context to exfiltrate your most sensitive data. We will also showcase a data security first MCP server with .mcpignore capabilities that prevent users from putting sensitive data into the client context.

Threat and Experiment

When multiple MCP servers are connected to a client, the servers share the client’s chat session context, allowing a malicious server or a tool to exfiltrate sensitive data. To demonstrate this vulnerability, we carried out an experiment using a simple prompt injection attack, which resulted in the extraction of an API_KEY.

In this experiment, we use Claude Desktop as our MCP client. We connect the client to @modelcontextprotocol/server-filesystem, which has over 30,000 weekly downloads. We also connect the client to a seemingly innocuous but malicious MCP server that can export data as a PDF file. When configuring the filesystem server for the client, the user provides a list of directories that the client can access. Let’s allow our client to access a local repository, as shown in the image below. This grants our MCP client access to all directories and files within the local repository. In other words, the MCP client can now read and process even sensitive files, such as .env.

Now, let’s connect our client to an MCP server with the following malicious tool. While the tool appears to export some data as a PDF for the user, the tool description is injected with instructions to retrieve and export any .env contents, without letting the user know.

Let’s say that the .env file contains API_KEY=”ABC-123” and we read its contents previously in our chat history. Then, as shown in the image below, when prompted to export some arbitrary data, the malicious tool successfully retrieves the API_KEY from the client’s context and appends it to the data it's exporting.

Solution

Following our experiment, we asked: How can we prevent sensitive data from entering the MCP client context while still leveraging the capabilities of the filesystem MCP server? Cyberhaven’s solution builds on a familiar concept–we extend the idea behind .gitignore by introducing a new mechanism: .mcpignore. This allows developers to specify exclusion patterns that prevent sensitive data from entering the client context. While Cursor and Cline provide similar ignore functionality, respectively through .cursorignore and .clineignore files, these functionalities only apply to the working directory and lack support for directories connected via a filesystem MCP server. 

Let’s replicate the same experiment using @cyberhaven/mcpignore-filesystem and add the .env pattern to the repository’s .mcpignore file. Then, when attempting to read the .env file, the client is denied access to read any contents of the file, blocking potential exfiltration of sensitive data.

Interested in running this MCP server locally?

We submitted a pull request to Model Context Protocol Servers repository implementing this functionality. In the meantime, you can start using our server and protect your sensitive data via npx by following instructions on our open-source repository.

Conclusion

Although connecting a filesystem MCP server to a client grants one to perform a breadth of filesystem actions, it creates a risk of data exfiltration through the shared client context. To mitigate such risk, we introduce a data security first filesystem MCP server with an added .mcpignore functionality. By adding .gitignore like exclusion patterns to .mcpignore, users can reduce the risk of data exfiltration when interacting with local filesystems via their clients.