Anthropic MCP Exposes AI Supply Chain to RCE

Security researchers have uncovered a systemic, architectural vulnerability in Anthropic's Model Context Protocol (MCP) that can lead to remote code execution. Ox Security, Tenable Research, Oligo Security and others traced the root cause to how MCP implementations, SDKs, and developer tooling handle subprocesses and local transports. The most cited concrete finding is CVE-2025-49596 in MCP Inspector, given a CVSS 9.4 rating, and researchers estimate the vulnerable ecosystem spans 200,000+ exposed instances and upstream packages with 150 million+ downloads.

The problem is not a single implementation bug but an interaction between protocol design, transport choices, and default developer tooling behavior. Key technical points:

• •MCP uses STDIO as a lightweight local transport to spawn MCP servers as subprocesses. The current semantics return handles for commands that successfully create STDIO servers, but return errors after executing other commands, creating a detectable side channel and enabling command injection.
• •Developer tools like MCP Inspector historically shipped with permissive defaults: no mandatory authentication, enabled remote-accessible UIs, and the ability for MCP servers to spawn local processes; Tenable and Oligo show how a web-based exploit or CSRF chain can trigger RCE simply by a user visiting a malicious page.
• •The most severe exploit classes demonstrated include unauthenticated command execution, STDIO-based command injection, and browser-to-local attack chains that leverage modern browser flaws and cross-origin requests.

The flaw propagates through the MCP supply chain because Anthropic maintained the protocol and SDKs across multiple languages. Practical consequences include:

• •Developer machines and CI runners running MCP Inspector or other MCP-aware tools;
• •Hosted MCP servers and locally spawned subprocesses in production and developer environments;
• •Downstream AI applications and agents that import vulnerable MCP SDKs in Python, TypeScript, Java, Rust and others.

This is a supply-chain style security problem tailored to the AI tooling stack. MCP was designed to let models call out to tools and data sources; that same capability, when exposed without strict transport and execution semantics, converts into direct host-level attack surface. The issue differs from an isolated bug because it maps to a protocol design choice. Ox Security documented repeated disclosures to Anthropic and argued a protocol-level fix would have drastically reduced risk across packages with tens to hundreds of millions of downloads. Anthropic has updated security guidance and warned users to treat STDIO adapters with caution, but has not changed the protocol architecture, describing the observed behavior as expected.

Researchers and vendors recommend immediate steps to reduce exposure:

• •Upgrade developer tooling: update MCP Inspector to the patched release (0.14.1 or later) that addresses the specific input-validation and UI exposure issues;
• •Restrict network access to MCP developer UIs and proxies; run MCP Inspector and similar tools in isolated, non-production environments;
• •Disable or avoid STDIO transports when running untrusted servers, and require explicit authentication and sandboxing for MCP server processes;
• •Monitor dependency graphs for MCP SDKs and tools, and apply strict provenance controls in package registries and CI.

The core unresolved question is whether Anthropic will adopt a protocol-level change that alters MCP transport semantics, enforces authentication, or otherwise removes subprocess execution from the default trust model. Without that, fixes will remain piecemeal and the ecosystem will continue to need defensive controls. Expect more CVE disclosures as security teams audit MCP implementations and related agent tooling.