What is a Replay Attack (Tool Call)?
A replay attack on tool calls captures and re-sends a valid MCP tool call to execute it again, potentially duplicating financial transactions, destructive operations, or data modifications.
WHY IT MATTERS
Replay attacks are a classic network security threat applied to the MCP protocol. An attacker captures a legitimate tool call — including its parameters, authentication context, and metadata — and re-sends it later. The server processes the replayed call as if it were a new, legitimate request.
In the MCP context, replay attacks are particularly dangerous for non-idempotent operations. A replayed payment tool call processes the same transaction twice. A replayed delete operation attempts to remove more data. A replayed message-sending call duplicates communications. Any tool call that changes state becomes a replay target.
The capture phase can occur through MITM on network transports, compromised logging systems that record full tool call payloads, malicious MCP servers that log calls for later replay, or access to audit logs that contain complete call details.
MCP's current protocol does not include built-in replay protection mechanisms like nonces, timestamps, or sequence numbers. This means replay defence must be implemented at the transport layer (TLS), the proxy layer (call deduplication), or the server layer (idempotency keys).
HOW POLICYLAYER USES THIS
Intercept can enforce replay protection through YAML policies that track tool call patterns. Rate limiting prevents rapid re-execution of identical calls, and the audit trail's timestamped records enable detection of duplicated operations. For sensitive tools (payments, deletions), policies can require unique identifiers in parameters — effectively mandating idempotency keys at the proxy layer.