CVE-2025-34072: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Anthropic Slack MCP Server
A data exfiltration vulnerability exists in Anthropic’s deprecated Slack Model Context Protocol (MCP) Server via automatic link unfurling. When an AI agent using the Slack MCP Server processes untrusted data, it can be manipulated to generate messages containing attacker-crafted hyperlinks embedding sensitive data. Slack’s link preview bots (e.g., Slack-LinkExpanding, Slackbot, Slack-ImgProxy) will then issue outbound requests to the attacker-controlled URL, resulting in zero-click exfiltration of private data.
AI Analysis
Technical Summary
CVE-2025-34072 is a critical vulnerability affecting Anthropic's deprecated Slack Model Context Protocol (MCP) Server. This vulnerability arises from the automatic link unfurling feature within the Slack MCP Server when processing untrusted input data. Specifically, an attacker can craft malicious hyperlinks embedded within messages generated by an AI agent using the Slack MCP Server. When Slack's link preview bots—such as Slack-LinkExpanding, Slackbot, or Slack-ImgProxy—encounter these attacker-crafted links, they automatically issue outbound HTTP requests to the attacker-controlled URLs without any user interaction. This behavior results in zero-click exfiltration of sensitive or private data contained within the message context. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-20 (Improper Input Validation), indicating that the root cause involves insufficient validation of untrusted input leading to unintended data disclosure. The CVSS v4.0 score of 9.3 (critical) reflects the vulnerability's high impact and ease of exploitation, as it requires no privileges, no user interaction, and can be exploited remotely over the network. The scope is high, as the vulnerability affects confidentiality (sensitive data leakage) with no integrity or availability impact. Although the Slack MCP Server is deprecated, organizations still running this component are at risk. No patches are currently available, and no known exploits have been observed in the wild yet, but the potential for exploitation is significant given the zero-click nature of the attack and the automatic outbound requests made by Slack's link preview bots.
Potential Impact
For European organizations, the impact of CVE-2025-34072 can be severe, especially for those that integrate Anthropic's Slack MCP Server within their Slack environments or use AI agents that rely on this protocol. Sensitive corporate data, including confidential messages, internal documents, or proprietary information, could be exfiltrated without any user action, leading to data breaches and potential regulatory violations under GDPR. The automatic nature of the data leakage means that attackers can stealthily harvest information, increasing the risk of espionage, intellectual property theft, or reputational damage. Additionally, organizations in regulated sectors such as finance, healthcare, and government are particularly vulnerable due to the sensitivity of the data handled and strict compliance requirements. The deprecated status of the Slack MCP Server may lead to delayed remediation, prolonging exposure. Furthermore, the vulnerability could be leveraged as a foothold for further attacks, such as social engineering or lateral movement within networks, compounding the risk to European enterprises.
Mitigation Recommendations
Given the absence of official patches, European organizations should prioritize immediate mitigation steps: 1) Disable or remove the deprecated Slack MCP Server from their environments to eliminate the attack surface. 2) Configure Slack workspace settings to restrict or disable automatic link unfurling and link preview features, especially for messages originating from AI agents or untrusted sources. 3) Implement strict input validation and sanitization on any AI-generated content before it is sent to Slack channels to prevent embedding malicious hyperlinks. 4) Monitor outbound network traffic for unusual requests to external or attacker-controlled domains originating from Slack link preview bots. 5) Employ network-level controls such as egress filtering and DNS filtering to block connections to suspicious URLs. 6) Educate security teams and Slack administrators about this vulnerability to ensure rapid detection and response. 7) Engage with Anthropic and Slack vendors for updates and patches, and plan for migration away from deprecated components. These targeted actions go beyond generic advice by focusing on the specific mechanisms exploited by this vulnerability and the unique architecture of Slack's link preview system.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden, Switzerland, Belgium, Italy
CVE-2025-34072: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Anthropic Slack MCP Server
Description
A data exfiltration vulnerability exists in Anthropic’s deprecated Slack Model Context Protocol (MCP) Server via automatic link unfurling. When an AI agent using the Slack MCP Server processes untrusted data, it can be manipulated to generate messages containing attacker-crafted hyperlinks embedding sensitive data. Slack’s link preview bots (e.g., Slack-LinkExpanding, Slackbot, Slack-ImgProxy) will then issue outbound requests to the attacker-controlled URL, resulting in zero-click exfiltration of private data.
AI-Powered Analysis
Technical Analysis
CVE-2025-34072 is a critical vulnerability affecting Anthropic's deprecated Slack Model Context Protocol (MCP) Server. This vulnerability arises from the automatic link unfurling feature within the Slack MCP Server when processing untrusted input data. Specifically, an attacker can craft malicious hyperlinks embedded within messages generated by an AI agent using the Slack MCP Server. When Slack's link preview bots—such as Slack-LinkExpanding, Slackbot, or Slack-ImgProxy—encounter these attacker-crafted links, they automatically issue outbound HTTP requests to the attacker-controlled URLs without any user interaction. This behavior results in zero-click exfiltration of sensitive or private data contained within the message context. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-20 (Improper Input Validation), indicating that the root cause involves insufficient validation of untrusted input leading to unintended data disclosure. The CVSS v4.0 score of 9.3 (critical) reflects the vulnerability's high impact and ease of exploitation, as it requires no privileges, no user interaction, and can be exploited remotely over the network. The scope is high, as the vulnerability affects confidentiality (sensitive data leakage) with no integrity or availability impact. Although the Slack MCP Server is deprecated, organizations still running this component are at risk. No patches are currently available, and no known exploits have been observed in the wild yet, but the potential for exploitation is significant given the zero-click nature of the attack and the automatic outbound requests made by Slack's link preview bots.
Potential Impact
For European organizations, the impact of CVE-2025-34072 can be severe, especially for those that integrate Anthropic's Slack MCP Server within their Slack environments or use AI agents that rely on this protocol. Sensitive corporate data, including confidential messages, internal documents, or proprietary information, could be exfiltrated without any user action, leading to data breaches and potential regulatory violations under GDPR. The automatic nature of the data leakage means that attackers can stealthily harvest information, increasing the risk of espionage, intellectual property theft, or reputational damage. Additionally, organizations in regulated sectors such as finance, healthcare, and government are particularly vulnerable due to the sensitivity of the data handled and strict compliance requirements. The deprecated status of the Slack MCP Server may lead to delayed remediation, prolonging exposure. Furthermore, the vulnerability could be leveraged as a foothold for further attacks, such as social engineering or lateral movement within networks, compounding the risk to European enterprises.
Mitigation Recommendations
Given the absence of official patches, European organizations should prioritize immediate mitigation steps: 1) Disable or remove the deprecated Slack MCP Server from their environments to eliminate the attack surface. 2) Configure Slack workspace settings to restrict or disable automatic link unfurling and link preview features, especially for messages originating from AI agents or untrusted sources. 3) Implement strict input validation and sanitization on any AI-generated content before it is sent to Slack channels to prevent embedding malicious hyperlinks. 4) Monitor outbound network traffic for unusual requests to external or attacker-controlled domains originating from Slack link preview bots. 5) Employ network-level controls such as egress filtering and DNS filtering to block connections to suspicious URLs. 6) Educate security teams and Slack administrators about this vulnerability to ensure rapid detection and response. 7) Engage with Anthropic and Slack vendors for updates and patches, and plan for migration away from deprecated components. These targeted actions go beyond generic advice by focusing on the specific mechanisms exploited by this vulnerability and the unique architecture of Slack's link preview system.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.550Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68653a166f40f0eb7292c959
Added to database: 7/2/2025, 1:54:30 PM
Last enriched: 7/2/2025, 2:09:47 PM
Last updated: 7/14/2025, 10:44:05 AM
Views: 33
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.