Introduction
The Model Context Protocol (MCP) was designed by Anthropic as an open standard for AI agent-to-tool communication, adopted by OpenAI and Google DeepMind, and donated to the Linux Foundation. With over 150 million downloads, it has become foundational. However, researchers at OX Security uncovered a critical architectural flaw: the default STDIO transport executes any operating system command it receives without sanitization. This affects an estimated 200,000 servers, with 7,000 publicly exposed. Anthropic labels this behavior as expected, placing the burden on developers to sanitize inputs. This guide provides a step-by-step approach to assess your exposure, review affected products, and implement mitigations. Follow these steps to secure your MCP deployments.
What You Need
- Access to your organization's MCP deployment configurations
- Network scanning tools (e.g., Nmap, Shodan) to identify exposed servers
- List of all AI agents and tools using MCP (e.g., LangFlow, Flowise, LiteLLM, Windsurf, etc.)
- Knowledge of your transport method (default STDIO or HTTP)
- Permissions to modify server configurations and apply patches
- Vulnerability database access (e.g., CVE details for affected products)
Step-by-Step Guide
Step 1: Identify All MCP-Connected AI Agents and Tools
Start by creating an inventory of every AI agent and tool in your environment that uses MCP. These include LiteLLM, LangFlow, Flowise, Windsurf, Langchain-Chatchat, Bisheng, DocsGPT, GPT Researcher, Agent Zero, LettaAI and others. Use configuration management databases or network discovery tools. Record each instance's transport method (default STDIO or HTTP). This step is critical because only STDIO is vulnerable; HTTP-based transports are not affected in the same way.
Step 2: Determine Which Deployments Use STDIO Transport
Check the configuration files of each MCP instance. Look for the transport parameter. If it is set to STDIO (the default in Anthropic's official Python, TypeScript, Java, and Rust SDKs), your deployment is at risk. If using HTTP transport, the risk is reduced – but still verify that input validation is applied. Note that many legacy or quick-start deployments default to STDIO. Document every instance using STDIO.
Step 3: Scan for Exposed STDIO Servers on Public IPs
Use network scanning tools to identify MCP servers listening on public IP addresses with STDIO transport active. OX Security found 7,000 such servers publicly exposed. Run a scan on your organization's public IP ranges, looking for open ports associated with MCP (default 3000 or custom). If you find any, immediately flag them as high risk – they allow unauthenticated remote command injection. You can use services like Shodan to cross-reference known MCP server fingerprints.
Step 4: Verify Input Sanitization Implementation
For each STDIO-based MCP deployment, check whether your development team has implemented input sanitization. Anthropic's stance is that sanitization is the developer's responsibility, but OX Security argues this is unrealistic at scale. Perform a code review to see if any input validation is applied before commands reach STDIO. If not, assume arbitrary command execution is possible. The exploitation families identified by OX include unauthenticated command injection through AI framework web interfaces, which are particularly dangerous.
Step 5: Review CVEs Affecting Your Specific Products
The OX Security research produced over 10 CVEs rated high or critical. Key CVEs affect LiteLLM, LangFlow, Flowise, Windsurf, Langchain-Chatchat, Bisheng, DocsGPT, GPT Researcher, Agent Zero, LettaAI. Access the CVE database (e.g., NVD) and check if your product versions are listed. Apply any patches released by vendors. If no patch exists, consider the product vulnerable and proceed to mitigation in Step 6.
Step 6: Apply Mitigations
There are several ways to reduce or eliminate the command execution risk:
- Switch to HTTP transport: If your MCP deployment supports HTTP, reconfigure to use it instead of STDIO. HTTP transport does not directly execute OS commands and adds a layer of abstraction.
- Implement input sanitization: For STDIO deployments, add strict input validation and allowlisting of commands. For example, only permit specific command patterns and reject any unexpected input.
- Isolate MCP environments: Run MCP servers in containers or sandboxes with minimal privileges. Use network segmentation to limit exposure to public networks.
- Deploy Web Application Firewall (WAF): If the MCP server is exposed via HTTP, use a WAF to detect malicious command patterns.
- Disable STDIO if not needed: If your AI agent doesn't require direct command execution, disable STDIO altogether.
Step 7: Monitor for Exploitation Attempts
After applying mitigations, set up logging and monitoring to detect exploitation attempts. Look for unusual OS commands in MCP logs, unexpected process creation, or outbound connections from the MCP server. Use Security Information and Event Management (SIEM) tools to correlate events. Consider deploying honeypots with fake MCP instances to capture attacks. Regularly review logs and adjust rules as needed.
Tips
- Do not rely solely on protocol defaults: MCP's STDIO default is intentionally designed to execute commands. Always verify if an alternative transport (HTTP) is available and prefer it.
- Educate developers: Ensure all developers using MCP understand that input sanitization is not optional. Provide guidelines and code snippets for validation.
- Perform regular security audits: Schedule at least monthly scans of your MCP infrastructure. The rapidly evolving ecosystem means new CVEs may appear – stay updated via mailing lists from OX Security or the CVE feeds.
- Consider a phased rollout: If you must use STDIO, deploy in isolated staging environments first, test for command injection, then move to production only after adding proper controls.
- Document your mitigations: Maintain a record of which deployments were patched, which transport was used, and any additional security layers. This helps in audits and future incident response.
- Monitor vendor responses: Follow Anthropic's official announcements regarding MCP updates. While they consider STDIO behavior expected, future revisions might alter the transport default – be ready to adapt.
By following these steps, you can systematically address the command execution flaw in your MCP deployments. The key is to act quickly, prioritize exposed public servers, and always assume default configurations are insecure until proven otherwise.