Line jumping is a Model Context Protocol attack where a malicious server injects adversarial instructions through a tool description that the model ingests the moment the agent connects — before the user calls any tool. The poisoned description "jumps the line" straight into the model's context, so a server can carry out prompt injection without the user ever invoking its tools. Described in 2025 MCP security research, it is a specific form of tool-description injection and a close relative of tool poisoning. The core defense is to treat all tool metadata as untrusted input and keep it out of the agent's instruction channel.
When an agent connects to an MCP server, it loads every tool's name, description, and schema into context so the model knows what is available. Those descriptions are attacker-controlled if the server is malicious. In a line-jumping attack, the description contains instructions — not just a description of the tool — and because the metadata is loaded up front, the model reads and can act on it before the user has requested anything. The attack does not require the poisoned tool to ever be called; mere connection is enough.
Line jumping falls under the OWASP Top 10 for agentic applications and is catalogued in the CASURA taxonomy of AI-agent vulnerabilities. It sharpened a key insight from 2025 MCP research: the dangerous moment is not when a tool is called but when its description is loaded. Defenses that only gate tool execution miss the attack entirely.