Anthropic, a leading company in the AI space, developed the Model Context Protocol as the industry standard for AI agent-to-tool communication. In a significant move, OpenAI adopted this protocol in March 2025, followed by Google DeepMind. Anthropic later donated MCP to the Linux Foundation in December 2025, resulting in over 150 million downloads. However, a recent discovery by researchers at OX Security revealed a critical architectural flaw affecting the protocol.
The flaw lies in MCP’s STDIO transport, the default method for connecting an AI agent to a local tool. This transport executes any operating system command it receives without proper sanitization or execution boundaries, making it vulnerable to malicious commands. OX Security researchers identified over 7,000 servers on public IPs with active STDIO transport, estimating a total of 200,000 vulnerable instances. They confirmed arbitrary command execution on several live production platforms, leading to the discovery of multiple high or critical-rated CVEs across various AI frameworks.
Following the disclosure, Kevin Curran, a cybersecurity expert at Ulster University, highlighted the concerning gap in the security of foundational AI infrastructure. Despite the findings, Anthropic confirmed that the behavior is intentional and declined to modify the protocol, arguing that input sanitization should be the responsibility of developers.
While Anthropic defends its position, OX Security emphasizes the challenge of expecting thousands of developers to correctly sanitize inputs. The debate raises questions about the protocol’s security and the responsibility of stakeholders in addressing the issue.
In response to the disclosure, several affected products have released patches, but the flaw persists at the protocol level. Organizations are advised to take immediate action to secure their MCP deployments, including enumerating servers, applying patches, isolating services, and treating STDIO configurations as untrusted surfaces.
The disagreement between Anthropic and OX Security underscores the need for a comprehensive approach to address the security vulnerabilities in MCP’s STDIO transport. As the debate continues, organizations must prioritize securing their AI infrastructure to mitigate potential risks.
