%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
A security report has tightened the nerves within the AI development community.
On April 15, the cybersecurity company OX Security released a report revealing a design flaw in Anthropic's MCP (Model Context Protocol), which could lead to remote code execution and affect more than 200,000 AI servers.
MCP is an open-source standard launched by Anthropic in November 2024, aimed at enabling AI large models to seamlessly connect and operate various external data and tools. It is currently widely used by developers to build AI applications.
The root of the problem lies in the STDIO interface of the MCP SDK. This interface was originally designed to start local server processes, but the underlying execution logic has serious vulnerabilities—it runs any incoming operating system commands, even if the server fails to start, the command is still executed without any verification or warning. OX Security clearly pointed out that this is not a low-level coding mistake, but a design decision at the architectural level.
The vulnerability affects a wide range, covering all 11 programming languages officially supported by Anthropic, including Python, TypeScript, Java, Go, Rust, and other mainstream languages. Any developer building on MCP automatically inherits this risk.
OX Security spent months testing four types of attacks in real environments. LangFlow has 915 public instances, and attackers can obtain session tokens and take full control without needing an account; Letta AI was attacked via a man-in-the-middle attack, allowing researchers to execute arbitrary commands directly on production servers; Flowise's whitelist filtering protection was easily bypassed; the most severe was the Windsurf IDE vulnerability, where users only need to visit a malicious website, without any clicks, attackers can execute arbitrary commands locally. This vulnerability has been assigned a CVE number.
After receiving the vulnerability notification on January 7 this year, Anthropic responded by stating it was "expected behavior," and nine days later, they only updated a security document, advising developers to use the STDIO adapter cautiously, without making any architectural changes.
Researchers also uploaded malicious servers to 11 major MCP markets for testing, and 9 of them were directly accepted without any security review, with only GitHub's hosted registry intercepting the submission.