MCP Server Sandbox Bypass: Arbitrary File Read/Write (CVE-2025-53110)
A critical MCP server vulnerability (CVE-2025-53110) allowed complete sandbox bypass, enabling arbitrary file read and write operations on the host system.
The sandbox was supposed to contain the agent. CVE-2025-53110 proved it was made of paper.
A critical vulnerability in MCP servers allowed complete sandbox bypass, granting arbitrary file read and write operations on the host system. Any AI agent connected through the vulnerable MCP server could read any file on the host โ credentials, private keys, database configs, source code โ and write to any location.
The vulnerability undermined the fundamental security premise of MCP: that servers provide controlled, sandboxed access to tools and resources. Instead, the sandbox was trivially escapable, turning every connected agent into a fully privileged process on the host machine.
The CVE was particularly dangerous because MCP servers often run on developer machines and production infrastructure simultaneously, connected to agents that have been granted broad operational access. A sandbox bypass in this context doesn't just expose one system โ it exposes everything the developer or the infrastructure has access to.
MCP promised safe tool access. CVE-2025-53110 delivered unrestricted host access. The gap between promise and reality was one exploit.
More nightmares like this
MCP Horror: Agent Sent Entire WhatsApp History to an Attacker
An AI agent connected via MCP was tricked into exfiltrating a user's entire WhatsApp message history to an attacker-controlled server.
ClawJacked: OpenClaw Vulnerability Enables Full Agent Takeover โ 1,184 Malicious Skills Discovered
Security researchers discovered a critical OpenClaw vulnerability that allows complete agent takeover, finding 1,184 malicious skills already in the wild capable of hijacking any OpenClaw agent.
Mercor Breach: 939GB of Source Code Exfiltrated via Claude
AI hiring platform Mercor suffered a massive breach where 939GB of source code was exfiltrated through Claude, exposing the company's entire codebase.
CamoLeak: GitHub Copilot Silently Exfiltrated AWS Keys via Invisible Markdown
A critical vulnerability in GitHub Copilot allowed attackers to exfiltrate private source code and AWS credentials through invisible markdown rendering โ the user saw nothing.