MCP 'design flaw' puts 200k servers at risk: Researcher

Security researchers at Ox have disclosed a design flaw in Anthropic's Model Context Protocol (MCP) that puts approximately 200,000 servers at risk of complete takeover. The root issue lies in how MCP uses STDIO as a local transport mechanism, effectively allowing arbitrary OS command execution. This spawns four vulnerability classes: unauthenticated command injection, hardening bypass injection, zero-click prompt injection in AI IDEs (Windsurf, Cursor, Claude Code, GitHub Copilot, Gemini-CLI), and malicious MCP marketplace entries. Despite 10 high/critical CVEs issued for individual tools and repeated responsible disclosure attempts, Anthropic declined to patch the protocol architecture, calling the behavior 'expected.' Ox argues a single architectural fix at the protocol level could have protected software packages with over 150 million downloads.