Security researchers at OX Security have identified a vulnerability in Anthropic's Model Context Protocol (MCP) that affects an estimated 200,000 servers globally. The flaw allows arbitrary command execution through MCP's STDIO transport mechanism, which is the default method for connecting AI agents to local tools.

The research team, led by Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar, found that MCP's STDIO transport executes any operating system command it receives without sanitization or execution boundaries. They discovered 7,000 servers on public IP addresses with active STDIO transport and extrapolated the 200,000 figure from scanning data. The researchers confirmed successful arbitrary command execution on six live production platforms with paying customers.

The vulnerability affects multiple AI development platforms and tools that have adopted MCP, including LiteLLM, LangFlow, Flowise, Windsurf, and others. More than 10 CVEs rated high or critical have been issued across these platforms. The research revealed four main exploitation methods: unauthenticated command injection through web interfaces, bypassing security allowlists, zero-click prompt injection in AI coding environments, and malicious package distribution through MCP registries.

Anthropic, which created MCP as an open standard for AI agent communication, has stated that the behavior is by design and declined to modify the protocol. The company characterizes STDIO's execution model as secure by default, placing responsibility for input sanitization on developers. Anthropic updated its security documentation to recommend caution with STDIO adapters but made no architectural changes to the protocol.

Several affected platforms have released patches for their specific implementations, but security experts note that the underlying protocol vulnerability remains unchanged. LiteLLM released version 1.83.7-stable to address the issue, while other vendors have implemented various fixes. However, any new MCP deployments using the default STDIO transport would inherit the same vulnerability.

The disagreement between researchers and Anthropic centers on responsibility for securing the protocol. OX Security argues that expecting thousands of developers to correctly implement input sanitization is unrealistic, while Anthropic maintains that STDIO is designed to launch arbitrary local processes and restricting this functionality would break its core purpose. Security experts recommend treating all MCP STDIO configurations as untrusted input surfaces and implementing proper sandboxing regardless of vendor patches.