Measurement-device-independent quantum key distribution (MDI-QKD) can remove all detection side-channels from quantum communication systems. The security proofs require, however, that certain assumptions on the sources are satisfied. This includes, for instance, the requirement that there is no information leakage from the transmitters of the senders, which unfortunately is very difficult to guarantee in practice. In this paper we relax this unrealistic assumption by presenting a general formalism to prove the security of MDI-QKD with leaky sources. With this formalism, we analyze the finite-key security of two prominent MDI-QKD schemes-a symmetric three-intensity decoy-state MDI-QKD protocol and a four-intensity decoy-state MDI-QKD protocol-and determine their robustness against information leakage from both the intensity modulator and the phase modulator of the transmitters. Our work shows that MDI-QKD is feasible within a reasonable time frame of signal transmission given that the sources are sufficiently isolated. Thus, it provides an essential reference for experimentalists to ensure the security of implementations of MDI-QKD in the presence of information leakage.