%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
Recently, the Model Context Protocol (MCP), an industry-standard communication protocol developed and maintained by AI giant Anthropic, has faced serious security challenges. A security research team, OX Security, released a report indicating that the protocol has fundamental design flaws at the architectural level, which could lead to servers being tricked into executing arbitrary code (RCE). So far, 10 CVE identifiers have been associated with this issue, and the number continues to grow.
As an open protocol aimed at standardizing communication between AI models and external data sources, MCP had previously been favored and integrated by major companies such as Microsoft and Google. However, OX Security discovered in a study on April 15 that the vulnerability was not a simple coding oversight but deeply embedded in the official SDK. This means that MCP projects built using Python, TypeScript, Java, or Rust are all vulnerable and exposed to risk.
Researchers, through testing, identified four mainstream attack vectors: unauthenticated UI injection, bypassing security hardening, prompt injection, and malicious plugin distribution. Several major open-source projects, including LiteLLM, LangChain, and IBM LangFlow, have been confirmed to have critical vulnerabilities and have been successfully exploited in real production environments. This discovery has effectively dropped a heavy bomb into the rapidly developing field of AI infrastructure.
In response to the research team's feedback, Anthropic's attitude has sparked widespread discussion in the industry. It is reported that the research team had attempted multiple times to communicate and urge the company to fix the architectural flaw, but Anthropic refused to modify the underlying architecture and responded that this behavior was "intended design." Subsequently, the research team decided to disclose the findings to the public, with the consent of the other party, to remind developers to take preventive measures.
In response to the current risks, security experts have issued urgent recommendations to users and developers: Do not directly expose large language models and related AI tools to the public network. When processing MCP input data, treat it as an untrusted source and strictly prevent prompt injection attacks. Additionally, it is recommended that all services based on MCP should run in a strict sandbox environment and update relevant software promptly to tighten system permissions as much as possible.