200,000 MCP servers expose a command execution flaw that Anthropic calls a feature

Anthropic created the Model Context Protocol (MCP) as an open standard for AI agent-to-tool communication, which was adopted by OpenAI in March 2025 and Google DeepMind later on. The protocol was donated to the Linux Foundation in December 2025, with over 150 million downloads. However, four researchers at OX Security discovered an architectural problem that affects all MCP servers.

The MCP's STDIO transport, the default for connecting an AI agent to a local tool, executes any operating system command it receives without sanitization or execution boundary between configuration and command. The researchers, Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar, found 7,000 servers on public IPs with STDIO transport active and estimate that there are 200,000 total vulnerable instances. They confirmed arbitrary command execution on six live production platforms with paying customers, producing over 10 CVEs rated high or critical across various products.

Kevin Curran, an IEEE senior member and professor of cybersecurity at Ulster University, called the research a "shocking gap in the security of foundational AI infrastructure." Anthropic confirmed that the behavior is by design and declined to modify the protocol, characterizing STDIO's execution model as a secure default and input sanitization as the developer's responsibility. OX Security argues that expecting 200,000 developers to sanitize inputs correctly is the problem. The technical counter from Anthropic is that sanitizing STDIO would either break the transport or move the payload one layer down.

Carter Rees, VP of AI and Machine Learning at Reputation, suggested that enterprise teams should treat MCP stdio as a privileged execution surface, not a connector, and deny by default, allowlist, sandbox, and stop assuming downstream input validation will hold at scale. The researchers identified four exploitation families, including unauthenticated command injection, hardening bypasses, zero-click prompt injection, and malicious package distribution. They also created a matrix mapping affected products against exploitation families, patch state, and remaining gaps.

While some vendors have patched their products, the protocol-level default has not changed, and every STDIO server definition remains a command execution surface. To address the flaw, Rees and other experts recommend enumerating and identifying MCP server deployments, patching affected products, sandboxing MCP-enabled services, auditing registries, and treating STDIO config as untrusted. As Merritt Baer, chief security officer at Enkrypt AI, warned in January, "MCP is shipping with the same mistake we've seen in every major protocol rollout: insecure defaults." The disagreement between Anthropic and OX Security on responsibility for securing MCP's STDIO transport will continue, but organizations can take immediate action to protect their deployments.