A critical architectural flaw in Anthropic's Model Context Protocol (MCP) reference implementation allows remote code execution via unsafe STDIO defaults. The STDIO transport lets client apps pass arbitrary commands to MCP servers as subprocesses, with no built-in filtering to block malicious input. OX Security researchers found and reported 30+ RCE vulnerabilities across real production services and open-source projects — including LangFlow, LiteLLM, Windsurf, and others — with 10 CVEs issued so far. Anthropic and other framework maintainers consider the behavior intentional, placing responsibility on client developers, but in practice few implement adequate command filtering. Researchers recommend Anthropic's SDKs enforce a default command allowlist blocking high-risk binaries like bash, curl, and powershell.
Sort: