- Ox Researchers Warn Anthropic’s Model Context Protocol Has a Systemic RCE Flaw
- Vulnerability built into the MCP SDKs in Python, TypeScript, Java, and Rust
- More than 200,000 cases exposed; Anthropic says the behavior is “expected”
Security researchers Ox have claimed that Anthropic’s Model Context Protocol (MCP) contains a “critical systemic vulnerability” that puts hundreds of thousands of instances at risk of remote code execution (RCE).
Anthropic, on the other hand, reportedly said the system is working as intended.
MCP is a standard that allows AI tools to securely connect to external applications and data sources. It is a vital component of any model because without it, you can only rely on the data it was trained on. The standard is used by both AI companies and developers creating AI tools, and is seen in the OpenAI and DeepMind products, as well as Anthropic’s own Claude applications.
Article continues below.
Millions are affected
In their findings, Ox researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok and Roni Bar said that what they found in MCP was not a “traditional coding error” but an “architectural design decision built into Anthropic’s official MCP SDKs in all supported programming languages, including Python, TypeScript, Java and Rust.”
“Any developer who builds on top of Anthropic MCP unknowingly inherits this exposure,” they warned.
Ox said the flaw can be triggered in different ways, from injecting an unauthenticated user interface to hardening bypasses in “protected environments”; and from fast no-click injection of leading AI IDEs to malicious market distributions.
They claim to have successfully executed commands on six live production platforms and identified critical vulnerabilities in “industry staples like LiteLLM, LangChain, and IBM’s LangFlow.”
The researchers said that more than 7,000 publicly accessible servers and up to 200,000 instances are now vulnerable. So far, they have issued 10 CVEs and helped fix the bugs. “However, the root cause remains unaddressed at the protocol level.”
Ox also said it contacted Anthropic and recommended root patches, to which the company said the MCP’s behavior was “expected.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
