200,000 MCP servers expose a command execution flaw that Anthropic calls a feature

Anthropic, a company known for creating the Model Context Protocol (MCP) as the open standard for AI agent-to-tool communication, made headlines in March 2025 when OpenAI adopted their protocol. Following OpenAI’s lead, Google DeepMind also implemented MCP. The protocol gained popularity, with downloads crossing 150 million. However, a recent discovery by four researchers at OX Security uncovered a critical flaw in the MCP architecture that affects all implementations.

The issue lies in MCP’s STDIO transport, which is the default method for connecting an AI agent to a local tool. This transport executes any operating system command it receives without proper sanitization or execution boundaries. This flaw allows for malicious commands to be executed, leading to potential security breaches. OX Security researchers found that thousands of servers with active STDIO transport were vulnerable, estimating a total of 200,000 instances at risk. They confirmed arbitrary command execution on several live production platforms, highlighting the severity of the issue.

Kevin Curran, an IEEE senior member and cybersecurity professor at Ulster University, described the security gap as a significant concern in foundational AI infrastructure. While Anthropic confirmed that the behavior is by design and declined to modify the protocol, OX Security emphasized the importance of input sanitization as a crucial security measure.

The debate surrounding the flaw revolves around whether developers should be responsible for input sanitization or if the protocol itself should implement stricter security measures. Anthropic’s stance is that the STDIO’s execution model is secure by default, placing the burden of input sanitization on developers. OX Security argues that expecting 200,000 developers to sanitize inputs correctly is unrealistic and shifts the risk rather than addressing it.

In light of the vulnerability, organizations utilizing MCP are advised to conduct a thorough audit of their deployments to assess exposure and apply necessary patches. It is crucial to treat every MCP STDIO configuration as an untrusted input surface and implement strict security measures to mitigate the risk of exploitation.

The debate between Anthropic and OX Security continues, with no resolution in sight regarding the protocol-level fix. In the meantime, organizations must take proactive steps to secure their MCP deployments and safeguard against potential security breaches.