Microsoft makes MCP in Visual Studio GA but researchers warn of risks
(2025/08/21)
- Reference: 1755768789
- News link: https://www.theregister.co.uk/2025/08/21/microsoft_makes_mcp_generally_available/
- Source link:
Microsoft has declared general availability for MCP (model context protocol) servers in Visual Studio, likely to be the second most popular IDE after Visual Studio Code and with wide enterprise use.
Product manager Allie Barrie [1]said that Visual Studio can now connect to local or remote MCP servers, configured using a file called .mcp.json which can be in a user profile, for global use, or in an individual solution.
Developers can add MCP servers either by editing this file directly, or using settings in the GitHub Copilot chat window. There is also provision for one-click installation from the web. OAuth authentication is supported, for example to allow the MCP tools to have GitHub access.
[2]
Organizations that are wary of MCP usage can control access to MCP functionality via GitHub policies.
[3]
[4]
MCP servers extend the capabilities of agentic AI, enabling developers to sit back and watch tasks being done on their behalf. Barrie references the [5]list of MCP servers on GitHub, which includes MCP SDKs, nearly 400 official servers, and nearly 750 community-contributed servers for which there is a warning from Anthropic, the inventor of the protocol, that "community servers are untested and should be used at your own risk."
The GitHub MCP Server in Visual Studio - note the risky option to Always Allow
How great is that risk – not only for community MCP servers, but for MCP in general? Many have raised concerns. For example, API security company pynt [6]published research into 281 MCP servers, investigating both their capabilities and whether they might process input from an untrusted source. An untrusted source might be a web page, a slack message, an email, or other external content. According to pynt, "MCPs are becoming the new execution layer for software workflows," the consequence being that multiple agents are used together and form a compositional risk. Based on the research, only 9 percent of MCPs are fully exploitable, combining both sensitive capabilities with acceptance of untrusted input, but the compounding effect of having multiple MCPs means that using 3 servers becomes a 52 percent chance of high risk vulnerability. For example, "a slack bot MCP responded to a crafted message that triggered terminal commands via a connected task automation plugin."
Pynt has four recommendations for reducing MCP exploitability, these being:
Ensure user approval for every call to an MCP server, and do not use the "always allow" option.
Disable MCP servers that are not actively needed.
Isolate MCP servers in containers or use other mechanisms to reduce the impact of an attack.
Avoid compositional risk by not allowing a server that accepts untrusted content alongside other servers with access to sensitive capabilities.
While this is good advice, the requirement to approve every action of an MCP tool runs counter to the promise of automation as well as being vulnerable to dialog box fatigue.
It is also hard to assess whether an MCP server might accept untrusted input, and unfortunately pynt has not published a list of its findings for specific servers.
With Visual Studio, Microsoft puts special emphasis on the GitHub MCP server, [7]now open source and evolving rapidly – though readers should note that its version number is 0.12.1, and it is in public preview. There are circumstances in which this MCP server may ingest untrusted input, an example being issues or pull requests in public repositories which may include prompt injections, these being instructions to AI agents. This risk was [8]showcased by Synk's InvariantLabs in May. Most disturbing is that the researchers reported that "this is not a flaw in the GitHub MCP server code itself, but rather a fundamental architectural issue that must be addressed at the agent system level."
[9]VS Code previews chat checkpoints for unpicking careless talk
[10]Vibe coding tool Cursor's MCP implementation allows persistent code execution
[11]Cisco donates Agntcy project to Linux Foundation in the hope it gets AI agents interacting elegantly
[12]From A2A to MCP, a look at the protocols that might one day help AI automate you out of a job
A user has nevertheless reported [13]this issue as a bug , although there was, at the time of writing, no response.
An architectural flaw in the GitHub MCP Server demonstrated by Invariant Labs
Invariant's proposed solution is to bolt on security scanners such as (no surprise) some of its own products. This though is unlikely to be a complete solution to an architectural issue.
Barrie chooses not to mention security in her post, but for developers it will be top of mind. ®
Get our [14]Tech Resources
[1] https://devblogs.microsoft.com/visualstudio/mcp-is-now-generally-available-in-visual-studio/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aKbuNxQsUo37S8glt1uWbQAAAMY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKbuNxQsUo37S8glt1uWbQAAAMY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKbuNxQsUo37S8glt1uWbQAAAMY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://github.com/modelcontextprotocol/servers
[6] https://www.pynt.io/blog/llm-security-blogs/state-of-mcp-security
[7] https://github.com/github/github-mcp-server
[8] https://invariantlabs.ai/blog/mcp-github-vulnerability
[9] https://www.theregister.com/2025/08/12/vs_code_previews_chat_checkpoints/
[10] https://www.theregister.com/2025/08/05/mcpoison_bug_abuses_cursor_mcp/
[11] https://www.theregister.com/2025/07/30/agntcy_lf_donation/
[12] https://www.theregister.com/2025/07/12/ai_agent_protocols_mcp_a2a/
[13] https://github.com/github/github-mcp-server/issues/844
[14] https://whitepapers.theregister.com/
Product manager Allie Barrie [1]said that Visual Studio can now connect to local or remote MCP servers, configured using a file called .mcp.json which can be in a user profile, for global use, or in an individual solution.
Developers can add MCP servers either by editing this file directly, or using settings in the GitHub Copilot chat window. There is also provision for one-click installation from the web. OAuth authentication is supported, for example to allow the MCP tools to have GitHub access.
[2]
Organizations that are wary of MCP usage can control access to MCP functionality via GitHub policies.
[3]
[4]
MCP servers extend the capabilities of agentic AI, enabling developers to sit back and watch tasks being done on their behalf. Barrie references the [5]list of MCP servers on GitHub, which includes MCP SDKs, nearly 400 official servers, and nearly 750 community-contributed servers for which there is a warning from Anthropic, the inventor of the protocol, that "community servers are untested and should be used at your own risk."
The GitHub MCP Server in Visual Studio - note the risky option to Always Allow
How great is that risk – not only for community MCP servers, but for MCP in general? Many have raised concerns. For example, API security company pynt [6]published research into 281 MCP servers, investigating both their capabilities and whether they might process input from an untrusted source. An untrusted source might be a web page, a slack message, an email, or other external content. According to pynt, "MCPs are becoming the new execution layer for software workflows," the consequence being that multiple agents are used together and form a compositional risk. Based on the research, only 9 percent of MCPs are fully exploitable, combining both sensitive capabilities with acceptance of untrusted input, but the compounding effect of having multiple MCPs means that using 3 servers becomes a 52 percent chance of high risk vulnerability. For example, "a slack bot MCP responded to a crafted message that triggered terminal commands via a connected task automation plugin."
Pynt has four recommendations for reducing MCP exploitability, these being:
Ensure user approval for every call to an MCP server, and do not use the "always allow" option.
Disable MCP servers that are not actively needed.
Isolate MCP servers in containers or use other mechanisms to reduce the impact of an attack.
Avoid compositional risk by not allowing a server that accepts untrusted content alongside other servers with access to sensitive capabilities.
While this is good advice, the requirement to approve every action of an MCP tool runs counter to the promise of automation as well as being vulnerable to dialog box fatigue.
It is also hard to assess whether an MCP server might accept untrusted input, and unfortunately pynt has not published a list of its findings for specific servers.
With Visual Studio, Microsoft puts special emphasis on the GitHub MCP server, [7]now open source and evolving rapidly – though readers should note that its version number is 0.12.1, and it is in public preview. There are circumstances in which this MCP server may ingest untrusted input, an example being issues or pull requests in public repositories which may include prompt injections, these being instructions to AI agents. This risk was [8]showcased by Synk's InvariantLabs in May. Most disturbing is that the researchers reported that "this is not a flaw in the GitHub MCP server code itself, but rather a fundamental architectural issue that must be addressed at the agent system level."
[9]VS Code previews chat checkpoints for unpicking careless talk
[10]Vibe coding tool Cursor's MCP implementation allows persistent code execution
[11]Cisco donates Agntcy project to Linux Foundation in the hope it gets AI agents interacting elegantly
[12]From A2A to MCP, a look at the protocols that might one day help AI automate you out of a job
A user has nevertheless reported [13]this issue as a bug , although there was, at the time of writing, no response.
An architectural flaw in the GitHub MCP Server demonstrated by Invariant Labs
Invariant's proposed solution is to bolt on security scanners such as (no surprise) some of its own products. This though is unlikely to be a complete solution to an architectural issue.
Barrie chooses not to mention security in her post, but for developers it will be top of mind. ®
Get our [14]Tech Resources
[1] https://devblogs.microsoft.com/visualstudio/mcp-is-now-generally-available-in-visual-studio/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aKbuNxQsUo37S8glt1uWbQAAAMY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKbuNxQsUo37S8glt1uWbQAAAMY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKbuNxQsUo37S8glt1uWbQAAAMY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://github.com/modelcontextprotocol/servers
[6] https://www.pynt.io/blog/llm-security-blogs/state-of-mcp-security
[7] https://github.com/github/github-mcp-server
[8] https://invariantlabs.ai/blog/mcp-github-vulnerability
[9] https://www.theregister.com/2025/08/12/vs_code_previews_chat_checkpoints/
[10] https://www.theregister.com/2025/08/05/mcpoison_bug_abuses_cursor_mcp/
[11] https://www.theregister.com/2025/07/30/agntcy_lf_donation/
[12] https://www.theregister.com/2025/07/12/ai_agent_protocols_mcp_a2a/
[13] https://github.com/github/github-mcp-server/issues/844
[14] https://whitepapers.theregister.com/