Systemic remote code execution vulnerability in Anthropic’s Model Context Protocol (MCP) SDK affecting supply chain

OX security documented a systemic remote code execution vulnerability in Anthropic’s Model Context Protocol (MCP) SDK that stems from a deliberate architectural design choice. The core vulnerability is present in the MCP SDK and located in its STDIO transport interface.

When a developer configures a STDIO MCP server, the SDK accepts a command field that specifies the executable to launch, SDK’s process execution logic runs this command unconditionally: it does not verify that the specified command is an MCP-compatible server, nor does it restrict the command syntax or abort execution if the subprocess fails to initialize.

The flaw is present across all officially supported language SDKs including Python, TypeScript, Java and Rust — allows any process command passed to the MCP STDIO interface to execute on the host system regardless of whether it initializes a valid MCP server. Anthropic confirmed the behavior as intentional and declined to modify the protocol architecture.

The affected supply chain spans an estimated 150 million downloads, more than 7,000 publicly accessible servers, and up to 200,000 vulnerable instances [1].

“This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to sensitive user data, internal databases, API keys, and chat histories,” OX Security researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar said in an analysis published last week.

MCP by design-Security & Vulnerability analysis

First the core vulnerability in MCP SDK is located in its STDIO transport interface

When any developer tries to configures a STDIO MCP server, the SDK accepts a command field that specifies the executable to launch.

The vulnerability ripples through a  supply chain with 150M+ downloads, 7,000+ publicly accessible servers — and up to 200,000 vulnerable instances in total.

Diverse Attack Vectors: OX Security research team identified four distinct families of exploitation, proving the flaw can be triggered via:

Malicious Marketplace Distribution (9 out of 11 MCP registries were successfully “poisoned” with a malicious trial balloon).

Unauthenticated UI Injection in popular AI frameworks.

Hardening Bypasses in “protected” environments like Flowise.

Zero-Click Prompt Injection in leading AI IDEs (Windsurf, Cursor).

The SDK’s process execution logic runs this command unconditionally: it does not verify that the specified command is an MCP-compatible server, does not sanitize or restrict the command syntax, and does not abort execution if the subprocess fails to initialize.

If an attacker can influence the command field — whether through prompt injection, configuration tampering, or malicious marketplace distribution — arbitrary OS commands will execute on the host system.

The behavior is compounded by a subtle timing property: execution occurs before the SDK detects whether the subprocess is a valid MCP server.

Threat mitigation procedure for organization running MCP-connected infrastructure

• Audit all MCP STDIO server definitions and treat every command parameter as an untrusted execution surface.
• Restrict MCP server registration to an explicit, reviewed allowlist; block unapproved STDIO server entries at the configuration level.
• Apply available patches for affected AI IDEs, particularly Windsurf prior to the patch for CVE-2026-30615.
• Do not rely on Anthropic SDK updates alone to remediate the core STDIO execution behavior, which Anthropic has categorized as expected.

Vendor’s suggested root patches to Anthropic – that would have instantly protected millions of downstream users; however, they declined to modify the protocol’s architecture, citing the behavior as “expected.” We subsequently notified Anthropic of our intent to publish these findings, to which they raised no objection.

Through over 30 responsible disclosures and 10+ High/Critical CVEs, OX Security has worked to patch individual projects. However, the root cause remains unaddressed at the protocol level. 

Read more :

Sources: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/

Sources: MCP by Design: RCE Across the AI Agent Ecosystem – Lab Space