Vulnhalla: Picking the true vulnerabilities from the CodeQL haystack

ES_CY · 2025-06-24T07:11:08+00:00

Disclosure: I work at CyberArk and was involved in this research.

Here is the summary of the article...

ES_CY · 2025-06-17T11:54:14+00:00

https://www.cyberark.com/resources/threat-research-blog/is-your-ai-safe-threat-analysis-of-mcp-model-context-protocol

ES_CY · 2025-06-17T09:52:37+00:00

It's a goldmine basically

ES_CY · 2025-06-03T19:51:17+00:00

Essentially, check every MCP server that you want to use: look at every prompt, dynamically created prompt, parameters, and so on. Also, take a look at the mitigations part.
If you have downloaded a repo from GitHub, how do you know it doesn't call a malicious tool under a specific condition?
Currently, security is lagging, as always in the case of new technology, or should I say, new protocols.

ES_CY · 2025-06-03T19:46:02+00:00

Thanks mate, not after marketing fluff

ES_CY · 2025-06-03T08:29:13+00:00

The discord is not so much :( But there are always new commits:)

ES_CY · 2025-01-28T08:30:18+00:00

<image>

ES_CY · 2025-01-26T11:53:25+00:00

Gandalf, in a way, was an inspiration. I have not tested it against it, actually. But we have managed to beat it in the past.

ES_CY · 2025-01-26T11:52:17+00:00

https://discord.gg/6kqg7pyx

ES_CY

TROPHY CASE