Overview
- Ox Security’s report published Wednesday detailed a protocol issue in MCP’s STDIO transport that runs the provided command even if the spawned server fails to start.
- The team estimates potential exposure across more than 200 projects with about 150 million downloads, over 7,000 public servers, and up to 200,000 vulnerable instances.
- Anthropic has told researchers the behavior is by design and declined to change the protocol, then quietly updated guidance to say STDIO adapters should be used with caution.
- Coordinated disclosures have produced more than 30 accepted reports and over 10 high or critical CVE fixes in downstream tools, yet the protocol’s core behavior remains the same.
- Researchers describe four attack paths, including command injection and marketplace poisoning, warn of data theft and full system takeover, and urge users to add gating, sanitization, isolation, or gateways until a protocol fix exists.