MCP Security Top 10 - Part 8: Cross-Context Data Leakage
This is the eighth article in our series about the top 10 security risks associated with the Model Context Protocol (MCP). This post focuses on Cross-Context Data Leakage, a critical vulnerability where sensitive information from one user, session, or context can inadvertently leak into another.
Introduction
MCP enables powerful integrations between AI systems and external tools, often processing sensitive user data. This architecture creates a significant security concern: ensuring that data remains properly isolated within its intended context. When this isolation fails, sensitive information can leak across contexts, potentially exposing confidential data to unauthorized users or systems.
Cross-context data leakage can occur in several ways within MCP implementations, from shared server instances to cached responses and persisted state. These leaks can happen even when each individual component appears secure in isolation.
MCP Security Top 10 Series
This article is part of a comprehensive series examining the top 10 security risks when using MCP with AI agents:
- MCP Security Top 10 Series: Introduction & Index
- MCP Overview
- Over-Privileged Access
- Prompt Injection Attacks
- Malicious MCP Servers
- Unvalidated Tool Responses
- Command Injection
- Resource Exhaustion
- Cross-Context Data Leakage (this article)
- MITM Attacks
- Social Engineering
- Overreliance on AI
What is Cross-Context Data Leakage in MCP?
Cross-context data leakage in MCP occurs when:
- Information from one context (user, session, organization) becomes visible or available in another context
- Sensitive data processed by MCP tools persists beyond its intended lifecycle
- Information barriers between separate AI instances or users fail
- Data intended for one purpose is repurposed or accessed through unintended channels
Cross-context data leakage is particularly dangerous because it often appears invisible to both users and developers until sensitive information has already been exposed. Unlike some vulnerabilities that cause visible errors, data leakage can remain undetected for extended periods.
Types of Cross-Context Data Leakage in MCP
1. Shared Server State
When MCP servers maintain state across multiple users or sessions:
// VULNERABLE: Shared state across users
import { MCPServer, createTool } from 'mcp-sdk-ts';
// Problematic global cache accessible to all users/sessions
const globalResultCache = new Map();
const expensiveOperationTool = createTool({
name: "perform_expensive_calculation",
description: "Performs a resource-intensive calculation",
inputSchema: {
type: "object",
properties: {
input: { type: "string" }
},
required: ["input"]
},
handler: async ({ input }) => {
// Check if result is already in cache
if (globalResultCache.has(input)) {
return globalResultCache.get(input);
}
// Perform expensive operation
const result = await performComplexCalculation(input);
// VULNERABLE: Storing result in global cache without user isolation
// User A's data could be retrieved by User B if they use the same input
globalResultCache.set(input, result);
return result;
}
});
async function performComplexCalculation(input) {
// Simulate expensive operation
await new Promise(resolve => setTimeout(resolve, 2000));
return {
input,
result: `Processed: ${input}`,
// Might include sensitive context-specific information
privateUserData: `user-specific-data-for-${input}`
};
}
2. Persistence of Sensitive Data
When MCP tools store sensitive data unnecessarily:
// VULNERABLE: Excessive data persistence
import { MCPServer, createTool } from 'mcp-sdk-ts';
import * as fs from 'fs';
import * as path from 'path';
const processUserDocumentTool = createTool({
name: "process_user_document",
description: "Process a user's document and extract key information",
inputSchema: {
type: "object",
properties: {
userId: { type: "string" },
documentContent: { type: "string" }
},
required: ["userId", "documentContent"]
},
handler: async ({ userId, documentContent }) => {
try {
// VULNERABLE: Writing sensitive user data to disk without proper cleanup
const tempFilePath = path.join('/tmp', `user_${userId}_doc_${Date.now()}.txt`);
// Write the document to disk
fs.writeFileSync(tempFilePath, documentContent);
// Process the document
const extractedInfo = analyzeDocument(documentContent);
// No cleanup of the temporary file!
// The sensitive document remains on disk indefinitely
return {
userId,
extractedInfo
};
} catch (error) {
throw new Error(`Failed to process document: ${error.message}`);
}
}
});
function analyzeDocument(content) {
// Document analysis logic
return {
wordCount: content.split(/\s+/).length,
sentiment: 'positive',
// Other analysis results
};
}
3. Log File Leakage
When sensitive data is written to logs:
// VULNERABLE: Sensitive data in logs
import { MCPServer, createTool } from 'mcp-sdk-ts';
import * as fs from 'fs';
const LOG_FILE = '/var/log/mcp-server.log';
function logOperation(operation, details) {
const timestamp = new Date().toISOString();
const logEntry = `${timestamp} - ${operation}: ${JSON.stringify(details)}\n`;
fs.appendFileSync(LOG_FILE, logEntry);
}
const authenticateUserTool = createTool({
name: "authenticate_user",
description: "Authenticate a user with credentials",
inputSchema: {
type: "object",
properties: {
username: { type: "string" },
password: { type: "string" }
},
required: ["username", "password"]
},
handler: async ({ username, password }) => {
// Log the operation - VULNERABLE: Includes password!
logOperation('user_authentication', { username, password });
// Authenticate the user
const authenticated = await verifyCredentials(username, password);
return {
authenticated,
username
};
}
});
async function verifyCredentials(username, password) {
// Authentication logic
return username.length > 0 && password.length > 0;
}
Real-World Impact
The consequences of cross-context data leakage can be severe:
- Privacy Violations: One user's sensitive information exposed to another
- Data Breaches: Confidential information leaked to unauthorized parties
- Regulatory Violations: Non-compliance with laws like GDPR, HIPAA, or CCPA
- Trust Breakdown: Loss of user confidence when data handling issues are discovered
- Security Compromises: Information leakage enabling further attacks
Detection Methods
1. Data Flow Analysis
Trace how data moves through MCP systems:
- Map data pathways from input to output
- Identify where context identifiers might be lost
- Look for shared resources across user contexts
- Detect where isolation boundaries are crossed
2. Runtime Monitoring
Observe system behavior in operation:
- Monitor for unexpected cross-context data access
- Track sensitive data throughout its lifecycle
- Log context transitions with appropriate identifiers
- Implement canary tokens to detect leakage
3. Security Testing
Conduct specific testing for leakage vulnerabilities:
- Test with multiple concurrent users/sessions
- Deliberately introduce unique identifiers in each context
- Check for data remnants after session termination
- Verify context isolation in error conditions
Mitigation Strategies
1. Implement Context Isolation
Ensure proper separation between contexts:
// IMPROVED: Context-specific data storage
import { MCPServer, createTool } from 'mcp-sdk-ts';
// Isolation by using context-specific caches
const userContextCaches = new Map();
const expensiveOperationTool = createTool({
name: "perform_expensive_calculation",
description: "Performs a resource-intensive calculation",
inputSchema: {
type: "object",
properties: {
input: { type: "string" },
userId: { type: "string" }
},
required: ["input", "userId"]
},
handler: async ({ input, userId }) => {
// Get or create user-specific cache
if (!userContextCaches.has(userId)) {
userContextCaches.set(userId, new Map());
}
const userCache = userContextCaches.get(userId);
// Check if result is in user-specific cache
if (userCache.has(input)) {
return userCache.get(input);
}
// Perform expensive operation
const result = await performComplexCalculation(input, userId);
// Store in user-specific cache
userCache.set(input, result);
// Implement cache expiration
setTimeout(() => {
if (userCache.has(input)) {
userCache.delete(input);
}
// Clean up empty user caches
if (userCache.size === 0) {
userContextCaches.delete(userId);
}
}, 30 * 60 * 1000); // 30 minute expiration
return result;
}
});
async function performComplexCalculation(input, userId) {
// Simulate expensive operation
await new Promise(resolve => setTimeout(resolve, 2000));
return {
input,
result: `Processed: ${input}`,
// No more leaking private data across contexts
timestamp: new Date().toISOString()
};
}
2. Proper Data Lifecycle Management
Ensure sensitive data is properly managed throughout its lifecycle:
// IMPROVED: Proper cleanup of sensitive data
import { MCPServer, createTool } from 'mcp-sdk-ts';
import * as fs from 'fs/promises';
import * as path from 'path';
const processUserDocumentTool = createTool({
name: "process_user_document",
description: "Process a user's document and extract key information",
inputSchema: {
type: "object",
properties: {
userId: { type: "string" },
documentContent: { type: "string" }
},
required: ["userId", "documentContent"]
},
handler: async ({ userId, documentContent }) => {
let tempFilePath = null;
try {
// Create a temporary file with restricted permissions
tempFilePath = path.join('/tmp', `user_${userId}_doc_${Date.now()}_${Math.random().toString(36).substring(2, 10)}.txt`);
// Write the document to disk with restrictive permissions
await fs.writeFile(tempFilePath, documentContent, { mode: 0o600 }); // Only owner can read/write
// Process the document
const extractedInfo = analyzeDocument(documentContent);
return {
userId,
extractedInfo
};
} catch (error) {
throw new Error(`Failed to process document: ${error.message}`);
} finally {
// IMPROVED: Ensure cleanup in all cases (success or error)
if (tempFilePath) {
try {
await fs.unlink(tempFilePath);
} catch (cleanupError) {
console.error(`Failed to delete temporary file ${tempFilePath}: ${cleanupError.message}`);
// Additional recovery actions could be implemented here
}
}
}
}
});
function analyzeDocument(content) {
// Document analysis logic
return {
wordCount: content.split(/\s+/).length,
sentiment: 'positive',
// Other analysis results
};
}
3. Implement Secure Logging
Ensure logs don't contain sensitive information:
// IMPROVED: Secure logging practices
import { MCPServer, createTool } from 'mcp-sdk-ts';
import * as fs from 'fs';
const LOG_FILE = '/var/log/mcp-server.log';
function logOperation(operation, details, sensitiveFields = []) {
const timestamp = new Date().toISOString();
// Create a safe copy of details with sensitive data redacted
const safeDetails = { ...details };
// Redact sensitive fields
for (const field of sensitiveFields) {
if (field in safeDetails) {
safeDetails[field] = '********';
}
}
const logEntry = `${timestamp} - ${operation}: ${JSON.stringify(safeDetails)}\n`;
fs.appendFileSync(LOG_FILE, logEntry);
}
const authenticateUserTool = createTool({
name: "authenticate_user",
description: "Authenticate a user with credentials",
inputSchema: {
type: "object",
properties: {
username: { type: "string" },
password: { type: "string" }
},
required: ["username", "password"]
},
handler: async ({ username, password }) => {
// Log the operation with password marked as sensitive
logOperation('user_authentication_attempt', { username, password }, ['password']);
// Authenticate the user
const authenticated = await verifyCredentials(username, password);
// Log the result (without including the password)
logOperation('user_authentication_result', { username, authenticated });
return {
authenticated,
username
};
}
});
async function verifyCredentials(username, password) {
// Authentication logic
return username.length > 0 && password.length > 0;
}
4. Use Instance Isolation
Dedicate separate MCP server instances for different security contexts:
# Example: Starting separate MCP server instances for different contexts
# Instance for user group A
USER_GROUP=a NODE_ENV=production ./start-mcp-server.js --port 3001 --data-dir /var/mcp/user-group-a
# Instance for user group B
USER_GROUP=b NODE_ENV=production ./start-mcp-server.js --port 3002 --data-dir /var/mcp/user-group-b
# Instance for admin operations
USER_GROUP=admin NODE_ENV=production ./start-mcp-server.js --port 3003 --data-dir /var/mcp/admin
This approach ensures complete isolation between different user groups or security contexts.
5. Implement Context Headers
Pass context information explicitly through all layers:
// IMPROVED: Explicit context propagation
import { MCPServer, createTool } from 'mcp-sdk-ts';
// Context management utilities
function createContext(userId, organizationId, sessionId) {
return {
userId,
organizationId,
sessionId,
timestamp: Date.now()
};
}
function validateContext(context) {
if (!context || !context.userId || !context.organizationId) {
throw new Error('Invalid context: Missing required fields');
}
// Additional validation could be performed here
return context;
}
const getUserDataTool = createTool({
name: "get_user_data",
description: "Retrieve data for a specific user",
inputSchema: {
type: "object",
properties: {
dataType: { type: "string" },
context: {
type: "object",
properties: {
userId: { type: "string" },
organizationId: { type: "string" },
sessionId: { type: "string" }
},
required: ["userId", "organizationId", "sessionId"]
}
},
required: ["dataType", "context"]
},
handler: async ({ dataType, context }) => {
// Validate the context
const validatedContext = validateContext(context);
// Ensure the context is properly propagated
return await fetchUserData(dataType, validatedContext);
}
});
async function fetchUserData(dataType, context) {
// Always use the context for data access
// This ensures data is only retrieved within the correct context
// Example implementation
const database = getDatabase(context.organizationId);
return await database.query(
'SELECT * FROM user_data WHERE user_id = ? AND data_type = ?',
[context.userId, dataType]
);
}
Using explicit context objects throughout your application makes it easier to track where context boundaries might be crossed and prevents accidental data leakage between users or organizations.
Secure Architecture Design Patterns
When designing MCP systems to prevent cross-context data leakage, consider these design patterns:
- Context Boundary Pattern: Define clear boundaries between different security contexts
- Zero Retention Policy: Process data without persistence where possible
- Context Propagation Pattern: Pass context identifiers explicitly through all operations
- Ephemeral Processing: Create temporary, isolated environments for processing sensitive data
- Secure Memory Management: Implement memory zeroing and secure disposal of sensitive data
Conclusion
Cross-context data leakage is a significant security risk in MCP implementations that can lead to privacy violations, regulatory non-compliance, and security breaches. By implementing proper context isolation, managing data throughout its lifecycle, implementing secure logging practices, using instance isolation, and explicitly propagating context information, you can significantly reduce the risk of sensitive data leaking across contexts.
Remember that data isolation should be a fundamental design consideration from the earliest stages of development. As MCP systems grow more complex and handle more sensitive data, maintaining strong boundaries between different contexts becomes increasingly important.
In the next article in this series, we'll explore the risks of man-in-the-middle (MITM) attacks in MCP implementations and strategies for securing communications between AI systems and MCP servers.
Protect Against Cross-Context Data Leakage with Garnet
As we've explored in this article, cross-context data leakage in MCP implementations can lead to serious privacy violations and security breaches. Traditional security approaches often focus on perimeter defenses rather than the internal flow of data across different contexts.
Garnet provides specialized runtime security monitoring designed to detect and prevent inappropriate data access and leakage across contexts. Unlike conventional security tools, Garnet's approach focuses on monitoring data access patterns and context boundaries at runtime.
With Garnet's Linux-based Jibril sensor, you can protect your environments against cross-context data leakage:
- Process Isolation Monitoring: Verify that processes maintain proper isolation boundaries
- File Access Surveillance: Detect unexpected cross-context file access patterns
- Resource Usage Tracking: Monitor for unexpected resource sharing between contexts
- Data Flow Analysis: Identify potential leakage paths through system monitoring
The Garnet Platform provides centralized visibility into context isolation with real-time alerts when boundaries appear to be compromised, integrating with your existing security workflows.
Learn more about securing your AI-powered development environments against cross-context data leakage at Garnet.ai.
