It also follows the accidental leak of Claude Code's full source code through a public npm package at the end of March, which exposed roughly 500,000 lines of unobfuscated TypeScript before Anthropic pulled the file.
MCP is now under the Linux Foundation’s governance, but it’s still Anthropic that’s responsible for maintaining the reference SDKs where the vulnerability originates. Until its STDIO handling is changed at source, project maintainers will have to implement their own input sanitization.
Follow Tom's Hardware on Google News , or add us as a preferred source , to get our latest news, analysis, & reviews in your feeds.
Luke James is a freelance writer and journalist.\u00a0 Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory.\u00a0 ","collapsible":{"enabled":true,"maxHeight":250,"readMoreText":"Read more","readLessText":"Read less"}}), "https://slice.vanilla.futurecdn.net/13-4-20/js/authorBio.js"); } else { console.error('%c FTE ','background: #9306F9; color: #ffffff','no lazy slice hydration function available'); } Luke James Social Links Navigation Contributor Luke James is a freelance writer and journalist. Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory.
FoxtrotMichael-1 This is a bit misleading. For one, the STDIO protocol is for executing local commands – it’s specifically designed to allow an agent to execute commands on the local machine without exposing an HTTP port. So when Anthropic says it’s working as intended…that’s because it’s working as intended. Sanitizing command strings sent over the STDIO protocol could break the command or, even worse, completely change the commands behavior. It would make no sense whatsoever for Anthropic to change how the protocol works. Ox Security is capitalizing on the moment to get a lot of publicity. EDIT: Since this article includes so little details about the actual vulnerability, I did a bit more digging. The problem is not with the STDIO protocol generally, but with how the STDIO protocol attempts to launch an MCP server and return the handle. The protocol will run any arbitrary command to launch an MCP server and since the launch command is defined in a config file you can easily produce a malicious MCP plugin. Once the MCP plugin is run, it will execute an arbitrary command instead of a command to start an MCP server. I still don't see this as Anthropic's problem. As a developer myself, sanitizing the server startup command would be a nightmare and either never work properly or lock MCP server startup commands into a specific subset of values. If Windsurf or any others are allowing malicious plugins on their marketplaces how is that Anthropic's problem? Reply
DS426 FoxtrotMichael-1 said: This is a bit misleading. For one, the STDIO protocol is for executing local commands – it’s specifically designed to allow an agent to execute commands on the local machine without exposing an HTTP port. So when Anthropic says it’s working as intended…that’s because it’s working as intended. Sanitizing command strings sent over the STDIO protocol could break the command or, even worse, completely change the commands behavior. It would make no sense whatsoever for Anthropic to change how the protocol works. Ox Security is capitalizing on the moment to get a lot of publicity. EDIT: Since this article includes so little details about the actual vulnerability, I did a bit more digging. The problem is not with the STDIO protocol generally, but with how the STDIO protocol attempts to launch an MCP server and return the handle. The protocol will run any arbitrary command to launch an MCP server and since the launch command is defined in a config file you can easily produce a malicious MCP plugin. Once the MCP plugin is run, it will execute an arbitrary command instead of a command to start an MCP server. I still don't see this as Anthropic's problem. As a developer myself, sanitizing the server startup command would be a nightmare and either never work properly or lock MCP server startup commands into a specific subset of values. If Windsurf or any others are allowing malicious plugins on their marketplaces how is that Anthropic's problem? How are there several CVE's that are 'High' and 'Critical' severity then? I think the best version of the truth probably lies somewhere in between Ox Security's publicity of this and Anthropic's version. "The protocol will run any arbitrary command to launch an MCP server and since the launch command is defined in a config file you can easily produce a malicious MCP plugin." ACL's on where that config file is located largely determine how severe this problem could be. If the file is in a rather protected directory by default when installed and same for the file's permissions — as it should be — then there's a defense that such system has bigger issues if malware or HOK activity is present. If the config file can only be edited with elevated permissions, that would help mitigate the issue. Reply
FoxtrotMichael-1 DS426 said: ACL's on where that config file is located largely determine how severe this problem could be. If the file is in a rather protected directory by default when installed and same for the file's permissions — as it should be — then there's a defense that such system has bigger issues if malware or HOK activity is present. If the config file can only be edited with elevated permissions, that would help mitigate the issue. That's not really how it works. The startup command for the MCP server is being defined in a plugin config file that lives in the plugin marketplace of the tool that you are using. For example, if you are using Cursor, and the plugin you install has a MCP STDIO startup command of do_evil.sh then when you install the plugin and the agent decides to actually start the plugin then it will execute do_evil.sh. There's really no way around this being a problem that the companies offering the plugin marketplaces have to solve. If they allow malicious plugins on their marketplace and you install them then yes, they can execute any malicious command on your system. On the other hand, let's say Anthropic did change the behavior of the startup command in the STDIO protocol. Let's say that it sanitizes the command and it can only be some very small subset of commands. The startup command in the STDIO protocol is still executing a command on your system that is, by design, intended to start an MCP server. Given that the attacker in this scenario controls both the startup command and the process it's starting, they can just move the malicious code to the MCP server. There is no possible way that Anthropic can fix this issue at the SDK level. The CVEs are for the products that host the plugin marketplaces that do nothing to prevent someone from publishing a malicious plugin, and rightfully so. Personally, I am a software developer and my main product is an agentic harness (think Claude Code, OpenClaw, etc.). I take personal responsibility for my product's security and I can't wrap my head around this being a problem in the MCP SDK. Reply
DS426 FoxtrotMichael-1 said: That's not really how it works. The startup command for the MCP server is being defined in a plugin config file that lives in the plugin marketplace of the tool that you are using. For example, if you are using Cursor, and the plugin you install has a MCP STDIO startup command of do_evil.sh then when you install the plugin and the agent decides to actually start the plugin then it will execute do_evil.sh. There's really no way around this being a problem that the companies offering the plugin marketplaces have to solve. If they allow malicious plugins on their marketplace and you install them then yes, they can execute any malicious command on your system. On the other hand, let's say Anthropic did change the behavior of the startup command in the STDIO protocol. Let's say that it sanitizes the command and it can only be some very small subset of commands. The startup command in the STDIO protocol is still executing a command on your system that is, by design, intended to start an MCP server. Given that the attacker in this scenario controls both the startup command and the process it's starting, they can just move the malicious code to the MCP server. There is no possible way that Anthropic can fix this issue at the SDK level. The CVEs are for the products that host the plugin marketplaces that do nothing to prevent someone from publishing a malicious plugin, and rightfully so. Personally, I am a software developer and my main product is an agentic harness (think Claude Code, OpenClaw, etc.). I take personal responsibility for my product's security and I can't wrap my head around this being a problem in the MCP SDK. Ohhh, I see. Good to know — thank you for the elaboration and correction! Reply
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/artificial-intelligence/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/artificial-intelligence/anthropics-model-context-protocol-has-critical-security-flaw-exposed#main
- https://www.tomshardware.com
- Ransomware negotiator pleads guilty after leaking victims' insurance details to 'BlackCat' hackers — perp gave attackers a precise picture of exactly how much e
- TSMC unveils process technology roadmap through 2029 — A12, A13, N2U announced, A16 slips to 2027
- The Future of AI Is Open and Proprietary
- No Need for Space Gear — Capcom’s ‘PRAGMATA’ Joins GeForce NOW on Launch Day
- Apex Gaming PCs recalls nearly 18,000 power supplies over missing safety labels — the fix is a warning sticker sent by mail, units are entirely safe
Informational only. No financial advice. Do your own research.