Full Report
Bug or feature? A design flaw – or expected behavior based on a bad design choice, depending on who is telling the story – baked into Anthropic's official Model Context Protocol (MCP) puts as many as 200,000 servers at risk of complete takeover, according to security researchers.…
Analysis Summary
# Vulnerability: Systemic Command Injection "Design Flaw" in Anthropic MCP
## CVE Details
- **CVE ID:** Multiple (10+ identified). Notable IDs include:
- **CVE-2025-65720** (GPT Researcher)
- **CVE-2026-30625** (Upsonic)
- **CVE-2026-30615** (Windsurf)
- **GHSA-c9gw-hvqq-f33r** (Flowise)
- **CVSS Score:** High to Critical (Specific scores vary by implementation)
- **CWE:** CWE-77 (Improper Neutralization of Special Elements used in an OS Command)
## Affected Systems
- **Products:**
- Anthropic Model Context Protocol (MCP) SDKs (Python, TypeScript, Java, Rust).
- AI Frameworks: LangFlow (all versions), GPT Researcher, Upsonic, Flowise.
- AI IDEs/Agents: Windsurf, Claude Code, Cursor, Gemini-CLI, GitHub Copilot.
- **Versions:** All versions using standard MCP implementation via STDIO transport as of April 2026.
- **Configurations:** Systems utilizing MCP with **STDIO adapters** to spawn servers as subprocesses.
## Vulnerability Description
The flaw resides in the architectural design of the Model Context Protocol (MCP). MCP uses STDIO as a local transport mechanism where an AI application spawns an MCP server as a subprocess. The protocol logic allows arbitrary OS commands to be passed through parameters intended for server initialization.
If the protocol receives a command, it attempts execution; if it successfully creates an STDIO server, it returns a handle, but even if the command is not a valid server command (e.g., a malicious payload), the OS executes the command before an error is returned. This creates a "primitive" for Remote Code Execution (RCE) across any tool implementing the official MCP SDK.
## Exploitation
- **Status:** PoC available; identified in 11 MCP marketplaces.
- **Complexity:** Low to Medium (Varies from direct injection to hardening bypasses).
- **Attack Vector:** Network (via public UIs), Local (via poisoned configurations), or Indirect (via Prompt Injection).
## Impact
- **Confidentiality:** Total (Full server/workstation takeover possible).
- **Integrity:** Total (Arbitrary command execution).
- **Availability:** Total (System compromise/shutdown).
## Remediation
### Patches
- **Anthropic:** No root protocol patch issued. Anthropic maintains this is "expected behavior."
- **Individual Tooling:**
- **Upsonic:** CVE-2026-30625 (Hardening implementation).
- **Flowise:** GHSA-c9gw-hvqq-f33r (Hardening implementation).
- **Windsurf:** CVE-2026-30615 (Patch available).
- **LangFlow / GPT Researcher:** No official patches confirmed at time of report.
### Workarounds
- **Strict Allowlisting:** Restrict MCP allows to specific binaries only (e.g., `python`, `npm`). Note: Researchers bypassed some allowlists using flag injection (e.g., `npx -c ...`).
- **Isolation:** Run MCP servers within highly restricted containers or sandboxes to limit the scope of command execution.
- **Manual Verification:** Avoid installing MCP servers from unverified marketplaces or third-party repositories.
## Detection
- **Indicators of Compromise:**
- Unexpected child processes spawned by AI agents/IDEs.
- Presence of suspicious arguments in `npx`, `npm`, or `python` execution logs.
- Modification of MCP JSON configuration files by unauthorized processes.
- **Detection Methods:** Monitor shell activity and subprocess spawning originating from AI frameworks or LLM-integrated development environments.
## References
- **Ox Security Research:** hxxps[://]www[.]ox[.]security/blog/the-mother-of-all-ai-supply-chains-technical-deep-dive/
- **Ox Security Blog:** hxxps[://]www[.]ox[.]security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/
- **Technical Whitepaper:** hxxps[://]20204725[.]hs-sites[.]com/the-mother-of-all-ai-supply-chains