Descriptor Mutation

Descriptor Mutation is the phenomenon where an MCP tool descriptor changes between agent runs without any update to the connector's declared version. A descriptor that was benign at install time can become weaponised on its next read; a descriptor that was loaded with a particular schema can return a different schema on the following run. The phenomenon is structurally important because most agent runtimes do not log descriptors per load, do not diff them across runs, and have no mechanism to reject a descriptor that has changed without explicit operator approval.

Descriptor mutation is the mechanism that enables tool poisoning attacks at run time, and it is the specific control failure exploited by CVE-2025-54136 ("MCPoison") in Cursor IDE — analysed in detail in the Cursor IDE MCP CVEs writeup. An attacker who controls an MCP server the user has connected can ship a descriptor mutation at any subsequent connection without re-publishing the package or triggering any update notification.

Why Descriptor Mutation Is Hard to Detect

Three properties make descriptor mutation difficult to detect in production. It happens out of band of normal package management. Lockfiles, signature verification, and registry trust controls all operate at install time. Descriptor mutation happens at run time, after every install-time control has already passed. The mutation is content-shaped, not version-shaped. A connector at version 1.2.3 with a benign descriptor and the same connector at version 1.2.3 with a malicious descriptor produces no version diff — the malicious change is invisible to anything that monitors only versions. Most agent runtimes overwrite the previous descriptor without recording it. When the new descriptor arrives, the old one is gone. Without explicit logging, there is nothing to compare against.

Detection and Defensive Patterns

The single most effective control against descriptor mutation is mechanical: log the full descriptor content at every load, and diff against the previous load. The signal is unambiguous — a descriptor that suddenly contains instruction-shaped content ("ignore previous", "also send to", "do this before") that was not there yesterday is an active incident, not an anomaly. This is the control Cursor was missing pre-1.2.5.

Beyond logging-and-diff, secondary defences include: pinning specific descriptor hashes alongside connector versions in lockfiles; rejecting descriptors that exceed length thresholds; sanitising descriptors against known prompt-injection patterns before they enter the LLM context; and surfacing descriptor changes to the user for explicit approval before applying. The MCP Security Checklist includes descriptor-load logging in its Critical Server Implementation Security category.

For deeper context on the broader supply-chain framing, see OWASP ASI04 — Agentic Supply Chain Attacks.