Hey there! Have you heard about the Model Context Protocol created by Anthropic? It’s the open standard for AI agent-to-tool communication. OpenAI even adopted it in March 2025, followed by Google DeepMind. Anthropic was so generous that they donated MCP to the Linux Foundation in December 2025, and downloads have crossed 150 million. But wait, there’s a twist. Recently, four researchers at OX Security discovered an architectural flaw that affects all of them.
So, what’s the issue? Well, it turns out that MCP’s STDIO transport, which is the default for connecting an AI agent to a local tool, executes any operating system command it receives without any sanitization. This means a malicious command can run without any checks, and the developer toolchain doesn’t even raise a flag about it.
The researchers at OX Security found that there are around 7,000 servers with the vulnerable STDIO transport active on public IPs, and they estimate a total of 200,000 instances are at risk. They were able to confirm arbitrary command execution on six live production platforms with paying customers. This led to the discovery of multiple critical vulnerabilities across various products.
Experts like Kevin Curran, a cybersecurity professor, expressed concern about this security flaw, calling it a “shocking gap in the security of foundational AI infrastructure.” Anthropic, on the other hand, confirmed that the behavior is by design and declined to modify the protocol, stating that input sanitization is the developer’s responsibility.
Now, the debate continues on whether to sanitize the input or not, but in the meantime, it’s crucial to ensure that your MCP deployments are secure. Check if your vendor has patched the issue and take necessary actions to protect your systems. Remember, your exposure cannot wait for a protocol fix, so make sure to address the vulnerability promptly.
If you’re wondering how to secure your MCP deployments, here are five questions to help you assess the situation and take action:
Am I exposed?
If you’ve deployed any MCP-connected AI agent using the default STDIO transport, you might be exposed to the vulnerability. This issue is not specific to a single product but affects the entire ecosystem due to the design flaw in Anthropic’s MCP specification.
OX Security identified different exploitation families, including unauthenticated command injection, hardening bypasses, zero-click prompt injection, and malicious package distribution. It’s essential to be aware of these risks and take necessary precautions to protect your systems.
Did my vendor patch?
Some vendors have released patches, while others are still working on addressing the issue. It’s crucial to check the patch status for each affected product and ensure that you’re running the latest secure versions to mitigate the risk.
Does the flaw survive the patch?
Even with product-level patches, the underlying issue with MCP’s STDIO behavior remains. It’s essential to treat every MCP STDIO configuration as an untrusted input surface and implement additional security measures to safeguard your systems.
What changed at the protocol level?
At the protocol level, there haven’t been any architectural changes to address the vulnerability. While there is a debate on where the responsibility lies for securing MCP’s STDIO transport, it’s important to take proactive steps to secure your deployments and minimize the risk of exploitation.
Monday morning remediation sequence
Here’s a quick plan of action for Monday morning:
- Enumerate all MCP server deployments
- Patch affected products to the latest secure versions
- Isolate MCP-enabled services from the host operating system
- Audit MCP registries for security
- Treat STDIO config as untrusted and implement strict controls
By following these steps, you can enhance the security of your MCP deployments and reduce the risk of exploitation. Remember, your vigilance is key to protecting your systems from potential threats.
