MCP protocol exposes design-level RCE vulnerability, Anthropic refuses to change the architecture

ME News message, April 21 (UTC+8), according to Beating Monitoring, security company OX Security recently disclosed that the open protocol MCP (Model Context Protocol, the de facto standard for AI agents calling external tools) led by Anthropic has a design-level remote code execution vulnerability. Attackers can execute arbitrary commands on any system running a vulnerable MCP implementation, obtaining user data, internal databases, API keys, and chat logs. The vulnerability does not come from the implementer’s coding mistakes, but from the default behavior of Anthropic’s official SDK when handling STDIO transmission. The Python, TypeScript, Java, and Rust implementations are all affected. STDIO is a transmission method for MCP that allows a local process to communicate via standard input and standard output. In the official SDK, StdioServerParameters will directly start a subprocess based on command parameters in the configuration. If developers do not perform additional input sanitization, any user input that reaches this step becomes a system command.

OX Security groups the attack surface into four categories: injecting commands directly through configuration interfaces; bypassing sanitization by appending a line flag to commands allowed in the whitelist (e.g., \npx -c <command>); using prompt injection in IDEs to rewrite MCP configuration files, enabling tools such as Windsurf to run a malicious STDIO service without user interaction; and secretly inserting STDIO configuration via HTTP requests in the MCP marketplace. OX Security’s figures: affected packages have been cumulatively downloaded more than 150 million times, with more than 7,000 publicly accessible MCP servers. In total, up to 200,000 instances were exposed, involving 200+ open-source projects. The team has submitted 30+ responsible disclosures and obtained 10+ high-severity or critical-severity CVEs, covering AI frameworks and IDEs including LiteLLM, LangFlow, Flowise, Windsurf, GPT Researcher, Agent Zero, and DocsGPT. In the 11 MCP package repositories they tested, 9 can be used with this technique to insert malicious configurations.

After the disclosure, Anthropic responded that this is “by design.” It said the STDIO execution model is a “safe default,” and shifted the responsibility for input sanitization to developers, refusing to change the protocol or the official SDK at the protocol level. Vendors such as DocsGPT and LettaAI have issued patches themselves, and the default behavior of Anthropic’s reference implementation has not changed. MCP is already the de facto standard for AI agents to call external tools, and OpenAI, Google, and Microsoft are also following suit. Without fixing the root cause, any MCP service that uses the default official SDK approach to handle STDIO may become an attack entry point—even if it didn’t write a single line of code incorrectly. (Source: BlockBeats)