- The paper demonstrates that Function Hijacking Attacks can subvert agentic LLMs by injecting adversarial tokens into function descriptions.
- It employs gradient-based adversarial prompt engineering to manipulate function selection, achieving 70%-100% attack success across models.
- Extensive experiments on the BFCL dataset and real systems confirm the robustness of the attack, highlighting critical vulnerabilities in MCP protocols.
Function Hijacking Attacks on MCP: Systematic Vulnerabilities in Function Calling Agentic Models
Overview
"Breaking MCP with Function Hijacking Attacks: Novel Threats for Function Calling and Agentic Models" (2604.20994) presents a rigorous investigation into the vulnerability of function-calling LLMs, specifically those operating under Model Context Protocols (MCP) in agentic AI systems. The paper formalizes a Function Hijacking Attack (FHA) capable of manipulating the tool selection process to force invocation of attacker-chosen functions. The approach is agnostic to both the semantics of context and the specifics of function sets, ensuring broad applicability and robustness across diverse agentic environments. The work establishes the attack's generality and efficacy against state-of-the-art models, underscores its practical implications given current system designs, and sets a clear challenge for securing agentic LLMs.
Figure 1: High-level illustration of FHA operation on a GitHub MCP server, where function metadata is poisoned to induce malicious selection.
Technical Contributions
The attack leverages gradient-based adversarial prompt engineering, adapting the GCG jailbreaking method (Zou et al., 2023) explicitly for the function calling paradigm. In FHA, adversarial tokens are injected directly into the description field of a target function within the MCP's available functions list—a vector exposed to users but challenging to validate through automated means. The optimization objective minimizes cross-entropy loss between the desired function call output and the poisoned input, with strict control over only the textual description, avoiding detectable artifacts like name changes or altered parameters.
The methodology is formalized as follows:
- Let F={f1,…,fm} represent available functions and q the user query. Model πϕ is fine-tuned for function calling.
- The attacker perturbs the description of ftarget, yielding x^1:s, with the output forced as y^fh={ftargetname,atarget,1,…}.
- The optimization minimizes Ladv(x^1:s)=−logPπϕ(y^fh∣x^1:s).
This attack, instantiated with LLMs such as Llama-3.2-3B-Instruct, Mistral-7B-Instruct-v0.3, and Qwen-3 series, demonstrates broad transferability, high efficacy, and minimal detection risk in real-world MCP deployments.
Empirical Evaluation
Extensive experiments utilize the Berkeley Function Calling Leaderboard (BFCL) dataset [patil2023gorillalargelanguagemodel], comprising diverse payloads and function configurations, to rigorously benchmark the FHA. The evaluations target both instructed and reasoning LLMs, testing attack resilience against variations in function position, count, and semantic diversity.
Key numerical results:
- FHA achieves 70%–100% Attack Success Rate (ASR) across target models and datasets, far surpassing prior indirect prompt or tool preference manipulation baselines.
- Slot-filling ASRs (valid parameter generation) closely follow function-name ASR, indicating practical viability for real-world exploitation.
- Universal attacks trained to hijack batches of semantically diverse queries generalize successfully across unseen prompts and varying function sets.

Figure 2: FHA effectiveness (ASR) as a function of target function position within the payload and varying total function count.
Figure 3: Demonstration of direct versus transferred adversarial attacks, and comparison across synthetic query generation strategies.
Attack robustness was further validated by transfer experiments: poisoning persisted despite moderate addition/removal of functions and changes in position/order (Takeway 2.3). Universal FHA, optimized across multiple payloads, further enhanced tolerance to heavy MCP edits—demonstrably hijacking with up to 25 noise functions added.
Analysis of Payload Properties and Universality
A systematic analysis establishes that both the position and total number of functions in the payload significantly impact attack efficiency. Adversarial token proportion relative to overall context, and early placement of the targeted function, were found to positively correlate with hijacking success and speed.
Correlation studies with BERT-based semantic similarity metrics highlight that target functions closer to the user's query (in embedding space) require fewer optimization epochs, yet semantic proximity is not strictly necessary for attack effectiveness.
Universal FHA variants, trained across synthetic query batches (via data augmentation with GPT-4o-mini), successfully generalize, with single adversarial descriptors hijacking function selection for semantically diverse or multi-intent inputs. Transferability depends on batch composition: attacks can be designed to only affect chosen functions/intents, leaving unrelated ones unaffected.

Figure 4: Robustness of universal FHA as measured by batch attacks across varying function positions and numbers within the payload.
Security Implications and Comparative Analysis
Baseline comparisons against Function Injection (using Llama-3-70B for function preference optimization) and the MCP Preference Manipulation Attack (MPMA) (Wang et al., 16 May 2025) reveal that FHA is substantially more generalizable and effective. Prior attacks are constrained by semantic preference or similarity; FHA exploits the MCP protocol's reliance on textual description exposed to users and bypasses semantic alignment mechanisms.
Demonstrations on real MCP servers (GitHub, Slack) validate practical applicability, reinforcing the urgent need for defensive measures. The systematic vulnerabilities identified challenge both detection and mitigation paradigms and expose agentic architectures to stealthy, enduring exploits.
Theoretical and Practical Implications
The research fundamentally augments the taxonomy of adversarial threats against function-calling LLM agents. The identification of description-based poisoning as a universal, context-agnostic vector compels reconsideration of MCP validation, function metadata sanitization, and model tool-selection robustness.
From a theoretical perspective, the work motivates deeper exploration of attention distribution and optimization boundaries in function-calling mechanisms. The vulnerability to gradient-driven attacks highlights the fragility of current alignment and selection protocols; universal attack variants exemplify the difficulty of designing parameterized defenses.
Practical implications are immediate for all MCP-based agentic deployments, particularly in enterprise automation, code execution, and interactive environments. Enhanced guardrails, stricter access to function metadata, and monitoring for adversarial perturbations are non-optional.
Future Directions
The findings call for research into scalable detection of adversarial function descriptions, exploration of robust attention-based defenses, and systematic evaluation of larger-scale MCPs with high function count and domain breadth. Further study is necessary to quantify the impact of semantic and syntactic perturbations, as well as to integrate adversarial training into function-calling LLM pipelines.
Conclusion
The paper rigorously establishes the existence and potency of Function Hijacking Attacks against function-calling LLMs in MCP agentic architectures. The adversarial vector, grounded in description-based poisoning, is both universal and robust across model types, function configurations, and query diversities. Numerical results highlight high attack success and practical viability, mandating significant revision of MCP agent security paradigms. The theoretical expansion to batch/Universal attacks and empirical validation on real systems signal urgent avenues for both defensive countermeasures and further foundational research.