// GLOSSARY -- AI AGENT SECURITY

What is Line Jumping?

2 min read Updated

Line jumping is an MCP attack class, described by Trail of Bits, in which a malicious server embeds prompt injection payloads in tool descriptions returned from tools/list, manipulating the model's behaviour before any tool is invoked.

WHY IT MATTERS

When an MCP client connects to a server, it calls tools/list and places the returned tool names, descriptions, and schemas into the model's context so the model knows what it can call. Line jumping exploits this step: the injection payload rides in the description text itself, so it shapes the model's behaviour the moment the server connects — the attack "jumps the line" ahead of any tool invocation.

This is what makes the class distinct from ordinary tool poisoning scenarios that require the poisoned tool to be called. Most MCP security controls — human approval prompts, per-call confirmation, invocation logging — sit at the call boundary. Line jumping never crosses that boundary, so those checkpoints see nothing. Trail of Bits demonstrated payloads that exfiltrate conversation history via trigger phrases and hide instructions using ANSI escape sequences.

Practical implications for teams running multiple servers:

  • Review tool descriptions before a server is added to a client, not just its tool behaviour at runtime.
  • Treat tool discovery output as untrusted input from the server.
  • Watch for description changes between versions — a benign server can turn malicious later (see MCP rug pull).

PolicyLayer puts a deterministic check in front of every tool call — the enforcement layer this page assumes.

GOVERN YOUR MCP SERVERS →

Enforced before the call runs. Nothing to install.

HOW POLICYLAYER USES THIS

PolicyLayer addresses line jumping at the adoption stage rather than the call stage. Its public catalogue at policylayer.com/tools scans MCP servers and classifies each tool's risk from its description and schema before you connect it, and the npx policylayer CLI scanner runs the same description-level analysis against your own MCP configuration. The gateway additionally pins what registered servers expose, so a server that changes its tool descriptions upstream is surfaced rather than silently re-injected into clients.

See the MCP Security reference →

FREQUENTLY ASKED QUESTIONS

Why is it called line jumping?
Because the attack skips the queue of security checkpoints: it takes effect at tools/list time, before the tool-invocation boundary where approval prompts and logging normally apply.
Does line jumping require the user to call the malicious tool?
No. The payload lives in the tool description that enters the model's context on connection, so the malicious server's tools never need to be invoked.
Do client approval prompts stop line jumping?
Not by themselves. Approval gates fire on tool calls, and line jumping influences the model before any call happens. Description review and scanning before adoption are the relevant controls.

FURTHER READING

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

GOVERN YOUR MCP SERVERS →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.