Gate News message, April 21 — Security firm OX Security has disclosed a design-level remote code execution (RCE) vulnerability in MCP (Model Context Protocol), the open standard for AI agents to invoke external tools, which is led by Anthropic. Attackers can execute arbitrary commands on any system running a vulnerable MCP implementation, gaining access to user data, internal databases, API keys, and chat histories.
The flaw stems not from implementation errors but from default behavior in Anthropic’s official SDK when handling STDIO transport—affecting Python, TypeScript, Java, and Rust versions. The StdioServerParameters in the official SDK directly launches subprocesses based on configuration command parameters; without additional input sanitization by developers, any user input reaching this stage becomes a system command. OX Security identified four attack vectors: direct command injection via configuration interfaces, bypassing sanitization with whitelisted command flags (e.g., npx -c ), prompt injection in IDEs to rewrite MCP configuration files for tools like Windsurf to run malicious STDIO services without user interaction, and injecting STDIO configurations through HTTP requests in MCP marketplaces.
According to OX Security, affected packages have been downloaded over 150 million times, with 7,000+ publicly accessible MCP servers exposing up to 200,000 instances across 200+ open-source projects. The team submitted 30+ responsible disclosures, resulting in 10+ high-severity or critical CVEs covering AI frameworks and IDEs including LiteLLM, LangFlow, Flowise, Windsurf, GPT Researcher, Agent Zero, and DocsGPT; 9 of 11 tested MCP package repositories could be compromised using this technique.
Anthropicresponded that this is “by design,” calling STDIO’s execution model a “secure default design,” and shifted input sanitization responsibility to developers, refusing to modify the protocol or official SDK. While DocsGPT and LettaAI have released patches, Anthropic’s reference implementation remains unchanged. With MCP becoming the de facto standard for AI agents accessing external tools—followed by OpenAI, Google, and Microsoft—any MCP service using the official SDK’s default STDIO approach could become an attack vector, even if developers write error-free code.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
AI16Z and ELIZAOS Creators Face Class Action Lawsuit Over False Advertising and Unjust Enrichment
Gate News message, April 21 — Burwick Law has filed a federal class action lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against the creators of AI16Z and ELIZAOS, including Walters, alleging violations of consumer protection laws, false advertising, and unjust
GateNews5m ago
Cobo Launches AI-Driven Agentic Wallet Supporting 80+ Blockchains with Multi-Party Computation Security
Gate News message, April 21 — Singapore-based digital asset custody firm Cobo unveiled the Cobo Agentic Wallet on April 20, a new product designed to enable artificial intelligence systems to independently execute blockchain transactions within a secure and controlled framework. The wallet allows
GateNews50m ago
OpenAI Prepares Agents Feature for ChatGPT, Codenamed Hermes
Gate News message, April 21 — OpenAI is preparing a new Agents feature for ChatGPT, codenamed "Hermes," according to Tibor Blaho, who monitors AI product updates. The feature includes a new agent builder called "studio" that allows users to create agents from templates, schedule runs, and
GateNews1h ago
0G Foundation Partners with Alibaba Cloud to Bring Qwen LLM On-Chain for AI Agents
Gate News message, April 21 — The 0G Foundation has partnered with Alibaba Cloud to integrate the Qwen large language model series on-chain. Through a tokenized mechanism, developers can embed direct Qwen access into their
GateNews3h ago
Nvidia's OpenShell Releases v0.0.33 with libkrun MicroVM Driver for AI Agent Sandboxing
Gate News message, April 21 — Nvidia's open-source AI Agent sandbox runtime OpenShell released version v0.0.33 recently, according to monitoring by Beating. The update introduces libkrun, a lightweight microVM driver based on KVM, alongside enhanced security
GateNews3h ago
ProCap Financial Partners with Kalshi to Launch AI-Powered Prediction Market Research Service
Gate News message, April 21 — ProCap Financial, founded by crypto entrepreneur Anthony Pompliano, has partnered with Kalshi, a prediction market operator, to launch a research service focused on prediction market analysis. The service leverages Kalshi's data pipeline and ProCap's AI agents to
GateNews3h ago
