'This is not a traditional coding error': Experts flag potentially critical security issues at the heart of Anthropic's MCP, exposes 150 million downloads and thousands of servers to complete takeover

News
By published

Anthropic says it sees no issues

The Anthropic logo displayed on a screen with the flag of the United States in the background.
(Image credit: Shutterstock)
  • Ox researchers warn Anthropic’s Model Context Protocol has systemic RCE flaw
  • Vulnerability baked into MCP SDKs across Python, TypeScript, Java, Rust
  • 200,000+ instances exposed; Anthropic says behavior is “expected”

Security researchers Ox have claimed Anthropic’s Model Context Protocol (MCP) contains a “critical, systemic vulnerability” which puts hundreds of thousands of instances at risk of remote code execution (RCE).

Anthropic, on the other hand, allegedly said the system works as intended.

MCP is a standard that lets AI tools securely connect to external data sources and apps. It is a vital component of any model because without it, it can only rely on the data it was trained on. The standard is used by both AI companies and developers building AI tools, and it is seen in both OpenAI and DeepMind products, as well as Anthropic’s own Claude apps.

Article continues below

Millions are affected

In its findings, Ox researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar, said that what they found in MCP was not a “traditional coding error”, but an “architectural design decision baked into Anthropic’s official MCP SDKs across every supported programming language, including Python, TypeScript, Java, and Rust.”

“Any developer building on the Anthropic MCP foundation unknowingly inherits this exposure,” they warned.

Ox said the flaw can be triggered in different ways, from unauthenticated UI injection, to hardening bypasses in “protected environments”; and from zero-click prompt injection in leading AI IDEs, to malicious marketplace distributions.

They claim to have successfully executed commands on six live production platforms and identified critical vulnerabilities in “industry staples like LiteLLM, LangChain, and IBM’s LangFlow.”

The researchers said more than 7,000 publicly accessible servers and up to 200,000 instances are now vulnerable. So far, they’ve issued 10 CVEs and helped remedy the bugs. “However, the root cause remains unaddressed at the protocol level.”

Ox also said it reached out to Anthropic and recommended root patches, to which the company said the MCP’s behavior is “expected”.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.