- Ox researchers warn that Anthropic’s Model Context Protocol has systemic RCE failure
- Vulnerability built into MCP SDKs across Python, TypeScript, Java, Rust
- 200,000+ cases uncovered; Anthropic says behavior is “expected”
Security researchers Ox have claimed that Anthropic’s Model Context Protocol (MCP) contains a “critical, systemic vulnerability” that puts hundreds of thousands of instances at risk of remote code execution (RCE).
Anthropic, on the other hand, reportedly said the system is working as intended.
MCP is a standard that lets AI tools securely connect to external data sources and apps. It is a vital component of any model because without it, it can only rely on the data it was trained on. The standard is used by both AI companies and developers building AI tools, and is seen in both OpenAI and DeepMind products, as well as Anthropic’s own Claude apps.
The article continues below
Millions are affected
In their findings, Ox researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar said that what they found in MCP was not a “traditional coding bug,” but an “architectural design decision baked into Anthropic’s official MCP SDKs across all supported programming languages, including Python, TypeScript, Java, and Rust.”
“Any developer building on the Anthropic MCP foundation unknowingly inherits this exposure,” they warned.
Ox said the bug can be triggered in various ways, from unauthorized UI injection to hardening bypass in “protected environments”; and from zero-click prompt injection in leading AI IDEs to malicious marketplace distributions.
They claim to have successfully executed commands on six live production platforms and identified critical vulnerabilities in “industry staples like LiteLLM, LangChain and IBM’s LangFlow.”
The researchers said that more than 7,000 publicly available servers and up to 200,000 instances are now vulnerable. So far they have issued 10 CVEs and helped fix the bugs. “However, the root cause remains unaddressed at the protocol level.”
Ox also said it reached out to Anthropic and recommended root patches, to which the company said MCP’s behavior is “expected.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
