Gate News message, April 21 — Security firm OX Security has disclosed a design-level remote code execution (RCE) vulnerability in MCP (Model Context Protocol), the open standard for AI agents to invoke external tools, which is led by Anthropic. Attackers can execute arbitrary commands on any system running a vulnerable MCP implementation, gaining access to user data, internal databases, API keys, and chat histories.
The flaw stems not from implementation errors but from default behavior in Anthropic’s official SDK when handling STDIO transport—affecting Python, TypeScript, Java, and Rust versions. The StdioServerParameters in the official SDK directly launches subprocesses based on configuration command parameters; without additional input sanitization by developers, any user input reaching this stage becomes a system command. OX Security identified four attack vectors: direct command injection via configuration interfaces, bypassing sanitization with whitelisted command flags (e.g., npx -c ), prompt injection in IDEs to rewrite MCP configuration files for tools like Windsurf to run malicious STDIO services without user interaction, and injecting STDIO configurations through HTTP requests in MCP marketplaces.
According to OX Security, affected packages have been downloaded over 150 million times, with 7,000+ publicly accessible MCP servers exposing up to 200,000 instances across 200+ open-source projects. The team submitted 30+ responsible disclosures, resulting in 10+ high-severity or critical CVEs covering AI frameworks and IDEs including LiteLLM, LangFlow, Flowise, Windsurf, GPT Researcher, Agent Zero, and DocsGPT; 9 of 11 tested MCP package repositories could be compromised using this technique.
Anthropicresponded that this is “by design,” calling STDIO’s execution model a “secure default design,” and shifted input sanitization responsibility to developers, refusing to modify the protocol or official SDK. While DocsGPT and LettaAI have released patches, Anthropic’s reference implementation remains unchanged. With MCP becoming the de facto standard for AI agents accessing external tools—followed by OpenAI, Google, and Microsoft—any MCP service using the official SDK’s default STDIO approach could become an attack vector, even if developers write error-free code.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
OpenAI Prepares Agents Feature for ChatGPT, Codenamed Hermes
Gate News message, April 21 — OpenAI is preparing a new Agents feature for ChatGPT, codenamed "Hermes," according to Tibor Blaho, who monitors AI product updates. The feature includes a new agent builder called "studio" that allows users to create agents from templates, schedule runs, and
GateNews4m ago
0G Foundation Partners with Alibaba Cloud to Bring Qwen LLM On-Chain for AI Agents
Gate News message, April 21 — The 0G Foundation has partnered with Alibaba Cloud to integrate the Qwen large language model series on-chain. Through a tokenized mechanism, developers can embed direct Qwen access into their
GateNews1h ago
Nvidia's OpenShell Releases v0.0.33 with libkrun MicroVM Driver for AI Agent Sandboxing
Gate News message, April 21 — Nvidia's open-source AI Agent sandbox runtime OpenShell released version v0.0.33 recently, according to monitoring by Beating. The update introduces libkrun, a lightweight microVM driver based on KVM, alongside enhanced security
GateNews2h ago
ProCap Financial Partners with Kalshi to Launch AI-Powered Prediction Market Research Service
Gate News message, April 21 — ProCap Financial, founded by crypto entrepreneur Anthony Pompliano, has partnered with Kalshi, a prediction market operator, to launch a research service focused on prediction market analysis. The service leverages Kalshi's data pipeline and ProCap's AI agents to
GateNews2h ago
Justin Sun Highlights AI Agent as Core Driver for Web3 Intelligence Evolution
Justin Sun urged that AI Agents will replace manual Web3 interactions, enabling autonomous, intent-driven DApps that plan and execute on-chain tasks, unlock productivity, and push mass adoption at the Genesis Hackathon.
Abstract: Justin Sun's Genesis Hackathon remarks underscore AI Agents as a catalyst for Web3, shifting from manual operations to autonomous, intent-driven processes that manage on-chain tasks and cross-chain trades, addressing user growth bottlenecks and stimulating ecosystem-wide adoption.
GateNews2h ago
Alipay Launches AI Agent Payments in Hangzhou, Reaches 100M Users
Gate News message, April 21 — Alipay has launched an AI agent payment service in Hangzhou that enables OpenClaw-type AI agents to make purchases and process payments on a user's behalf. The feature requires users to enable it, verify their identity, and approve each transaction, with risk controls a
GateNews3h ago
