Security researchers at OX Security have exposed an architectural vulnerability in Anthropic's Model Context Protocol (MCP) that enables arbitrary remote code execution on any system running a vulnerable implementation. The flaw affects MCP's official SDKs across Python, TypeScript, Java, and Rust, and ripples through a supply chain spanning more than 150 million downloads and up to 200,000 server instances. Surprisingly, Anthropic declined to patch the protocol in response, telling researchers the behavior was "expected."
MCP is the open standard Anthropic created in late 2024 to let AI models connect to external tools, databases, and APIs. It was donated to the Linux Foundation's Agentic AI Foundation last December and has since been adopted by OpenAI, Google, and most major AI coding tools.
Article continues below
OX Security said it repeatedly recommended a protocol-level fix to Anthropic, such as manifest-only execution or a command allowlist in the SDKs, that would have protected downstream users immediately, but Anthropic reportedly declined and didn’t object when the researchers said they intended to publish their report.
Ironically, the exposure comes less than a week after Anthropic launched Claude Mythos, a frontier model it’s hyping up as a tool to find security vulnerabilities in other organizations' software. That irony wasn’t lost on OX’s researchers, who noted that the findings were “a call to action” for Anthropic to apply that same commitment in its own infrastructure.
MCP is now under the Linux Foundation’s governance, but it’s still Anthropic that’s responsible for maintaining the reference SDKs where the vulnerability originates. Until its STDIO handling is changed at source, project maintainers will have to implement their own input sanitization.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

























