Anthropic warns MCP design flaw endangers 200,000 servers, prompting urgent fixes

The Ox research team’s investigation, which began in November 2025, uncovered that MCP’s reliance on STDIO as a transport layer creates a direct command‑execution path that can be triggered without authentication. When an MCP client spawns a server subprocess, the protocol forwards any string it receives to the operating system. If the string forms a valid command that launches an STDIO server, the protocol returns a handle; if the command fails, it merely returns an error after execution. This “run‑any‑command‑then‑return‑status” behavior, described by the researchers as “expected” by Anthropic, effectively gives any caller the ability to execute arbitrary OS commands on the host machine (The Register). Because MCP is bundled as an open‑source SDK for Python, TypeScript, Java and Rust, every application that imports the library inherits this execution primitive, exposing a massive attack surface across the AI ecosystem.

Four distinct vulnerability classes flow from this design flaw, all converging on remote code execution (RCE). The first class—unauthenticated and authenticated command injection—allows an attacker to inject user‑controlled strings that are passed straight to the shell. The researchers demonstrated that a malicious client can issue a simple “rm -rf /” payload and have it run on the MCP server, compromising any system that exposes a public UI. Projects built on the protocol, such as all versions of LangFlow—a low‑code framework from IBM—are therefore vulnerable; the team disclosed the issue to LangFlow on 11 January but no CVE has been issued (The Register). GPT Researcher, an open‑source AI agent, is similarly at risk and is tracked under CVE‑2025‑65720, though a patch remains unavailable.

The second class—unauthenticated command injection with hardening bypass—targets applications that have added input sanitisation or sandboxing. By exploiting the fact that MCP forwards the raw command string before any developer‑level checks, an attacker can slip past these defenses and achieve the same RCE outcome. The Register notes that both Upsonic (CVE‑2026‑30625) and Flowise (GHSA‑c9gw‑hvqq‑f33r) have attempted hardening, yet the underlying protocol flaw still permits bypass. The third class involves privilege escalation via crafted STDIO handles, where a low‑privilege process can co‑opt a higher‑privilege MCP server that has already opened a privileged handle. Finally, the fourth class leverages error‑return paths: even when a command fails, the protocol still executes it before reporting the error, giving attackers a window to run side‑channel payloads that do not require a successful handle.

Anthropic’s response has been limited to a revised security policy that advises “caution” when using STDIO adapters, a 30‑page paper that acknowledges the issue but does not alter the protocol’s architecture (The Register). The researchers argue that a root‑level patch—removing the unconditional command execution path—could have mitigated risk across software packages totaling more than 150 million downloads, protecting millions of downstream users. Instead, Anthropic has repeatedly told the Ox team that the protocol “works just fine,” effectively treating the exploitability as an intended feature rather than a defect. This stance leaves an estimated 200 000 servers exposed to full takeover, a figure derived from the researchers’ analysis of MCP deployments across open‑source tools and commercial AI agents (The Register).

The broader implications are stark. Because MCP is the de‑facto lingua franca for LLM‑to‑system interaction, any breach can cascade through supply chains, granting attackers footholds in environments ranging from development sandboxes to production data pipelines. Security analysts, citing the Ox team’s 10 high‑ and critical‑severity CVEs, warn that the cumulative threat exceeds the sum of individual bugs, creating a systemic vulnerability that could be weaponised at scale. Until Anthropic either redesigns MCP to eliminate the STDIO command tunnel or issues a comprehensive patch that sanitises all inbound strings, the AI community must treat the protocol as a high‑risk component and implement defensive layers—such as network segmentation, strict IAM policies, and runtime monitoring—to mitigate potential takeovers.