InvestMarketplaceEquityNews
Flaw in Anthropic's MCP putting 200k servers at risk, researchers claim
Market Updates

Flaw in Anthropic's MCP putting 200k servers at risk, researchers claim

Computing6d ago

Model Context Protocol was designed to help AIs connect with external systems - but it's opening servers to takeover risk

A vulnerability in Anthropic's open source Model Context Protocol is putting up to 200,000 servers at risk of complete takeover.

A design choice in Model Context Protocol (MCP) has opened up a "critical, systemic vulnerability," says the OX Security research team in a new blog post, which enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation.

MCP is the industry standard for AI agent communication. Anthropic launched it in 2024, billing it as "a universal, open standard for connecting AI systems with data sources," like databases, Docker containers and even messaging platforms like Teams.

Today, MCP's supply chain constitutes about 150 million downloads, 7,000 publicly accessible servers and up to 200,000 vulnerable instances.

The OX team says the flaw grants attackers "direct access to sensitive user data, internal databases, API keys, and chat histories."

Technically, nothing - Anthropic insists the behaviour is "expected." But there are 10 CVEs attributable to the flaw already, nine marked as critical.

OX's researchers say they have identified a systemic command injection vulnerability in MCP, opening up four different types of vulnerability.

The vulnerabilities are traced back to STDIO (standard input/output), which MCP uses as a local transport mechanism for an AI process to spawn an MCP server as a subprocess. In practice, "it actually lets anyone run any arbitrary OS command[;] if the command successfully creates an STDIO server it will return the handle, but when given a different command, it returns an error after the command is executed."

The first vulnerability, unauthenticated & authenticated command injection, allows attackers to enter use -controlled commands that run directly on the server, without authentication or sanitisation. OX says "any" AI framework with a publicly facing UI is vulnerable, including IBM's LangFlow and the open source GPT Researcher.

The second attack path is unauthenticated command injection with hardening bypass. It enables the same type of attack, but with the ability to bypass existing protections and user input sanitisation to the MCP configuration. The researchers were able to leverage this vulnerability to get around protections in both Flowise and Upsonic.

The third type allows command injections via MCP configuration edit through prompt injection. It affects AI integrated development environments (IDEs) and coding assistants like Windsurf, Claude Code and GitHub Copilot, though the only issued CVE at present is for Windsurf.

Finally, the fourth vulnerability family is unauthenticated command injection via network request. OX writes, "the insecure MCP STDIO configuration is not shown to the user in the server's Web-GUI, but the backend logic still contains STDIO processing logic." It can be delivered through MCP marketplaces, and they successfully 'poisoned' nine of the 11 marketplaces they tried (using a non-harmful MCP).

OX Security "repeatedly" recommended root patches to Anthropic to fix these flaws since discovering them in November, which "would have instantly protected millions of downstream users." However, Anthropic declined to do so.

Recommendations to address the vulnerabilities are:

Originally published by Computing

Read original source →
Anthropic