- Ox Researchers Warn Anthropic’s Model Context Protocol Has Systemic RCE Flaw
- Vulnerability integrated into MCP SDKs on Python, TypeScript, Java, Rust
- More than 200,000 instances exposed; Anthropic says behavior is ‘expected’
Security researchers Ox have claimed that Anthropic’s Model Context Protocol (MCP) contains a “critical systemic vulnerability” that puts hundreds of thousands of instances at risk of remote code execution (RCE).
Anthropic, on the other hand, reportedly stated that the system worked as expected.
MCP is a standard that allows AI tools to securely connect to external data sources and applications. It is an essential component of any model because without it, it can only rely on the data it was trained on. The standard is used by both AI companies and developers who create AI tools, and it can be seen in OpenAI and DeepMind products, as well as Anthropic’s own Claude applications.
Article continues below
Millions of people are affected
In their findings, Ox researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok and Roni Bar said that what they found in MCP was not a “traditional coding error” but an “architectural design decision built into Anthropic’s official MCP SDKs in all supported programming languages, including Python, TypeScript, Java and Rust.”
“Any developer relying on the Anthropic MCP Foundation unknowingly inherits this exposure,” they warned.
Ox said the flaw can be triggered in a variety of ways, from injecting unauthenticated UI to hardening bypasses in “protected environments”; and from rapid click-free injection into leading AI IDEs to malicious distributions in the market.
They claim to have successfully executed orders on six live production platforms and identified critical vulnerabilities in “industry staples like LiteLLM, LangChain, and IBM’s LangFlow.”
Researchers said more than 7,000 publicly accessible servers and up to 200,000 instances are now vulnerable. So far they have released 10 CVEs and helped fix bugs. “However, the root cause remains unresolved at the protocol level.”
Ox also said it contacted Anthropic and recommended root fixes, for which the company said MCP’s behavior was “expected.”
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
