Anthropic's MCP Has a Critical RCE Vulnerability. We Don't Use MCP. Here's Why.

OX Security dropped a disclosure on April 15th. Anthropic's Model Context Protocol — the STDIO transport that connects AI models to tools — has a configuration-to-command-execution path baked into the SDK. Python. TypeScript. Java. Rust. All of them. 150 million downloads affected. 200,000 servers exposed. Anthropic's response: "expected behavior."

Expected behavior. Remote code execution is expected behavior.

The CVE chain reads like a casualty list. MCP Inspector. LibreChat. Windsurf. LiteLLM. Langchain-Chatchat. NGINX-UI — that one's actively exploited, 2,600 instances on Shodan right now. The TypeScript SDK leaks responses between clients. Unit 42 published prompt injection vectors through MCP sampling. Someone built a whole tracking site at vulnerablemcp.info because the list got too long for a blog post.

The root cause is architectural. MCP trusts the transport. The STDIO interface gives an AI model a pipe to execute commands on the host. The configuration file tells MCP what tools are available, and the path from "tool definition" to "command execution" has no gate. If you can manipulate the configuration — through prompt injection, through a malicious MCP server, through a compromised dependency — you own the host.

This is the same class of vulnerability that hit Vercel last week. Context.ai had an OAuth token that gave it access to Vercel's Google Workspace. One compromised integration, one trusted connector, and the attacker is inside. OAuth tokens, MCP STDIO pipes — same pattern. The connector is the vulnerability.

We ship 12 integrations. VS Code extension. Chrome extension. CLI tool. GitHub Action. Slack bot. Splunk Technology Add-on. Microsoft Sentinel connector. Elastic integration. Obsidian plugin. Neovim plugin. Raycast extension. Scanner core npm package. None of them use MCP.

Every single one is a thin HTTP client that calls a REST API. GET request. Bearer token. JSON response. No protocol negotiation. No STDIO pipe. No configuration-to-execution path. No sampling feature. No bidirectional trust.

The worst case scenario if someone steals one of our API keys: they get free threat intelligence. They can search our 1,089,889 IOCs, query our Tor relay index, look up .onion addresses. Read-only access to data we publish openly in our STIX feed anyway. They cannot execute commands on the host. They cannot pivot to other systems. They cannot read files, spawn processes, or modify configurations.

That is not an accident. That is architecture.

The AS/400 had this figured out in 1988. The Technology Independent Machine Interface sits between the application and the hardware. The application cannot reach past the interface. It asks questions and gets answers. It does not get a shell.

Our integrations are coprocessors. The STIX feed is the TIMI. Each plugin asks a question — is this IP malicious? Is this a Tor relay? What is the threat level? — and gets a JSON response. The plugin cannot reach past the API. It cannot execute commands on the analytics server. It cannot modify the index. It cannot talk to other plugins.

MCP's design assumes trusted tools. Our design assumes nothing is trusted. The API authenticates every request. The response contains data, not instructions. The integration renders the data in whatever format the platform needs — a VS Code notification, a Slack block, a Splunk event, a Kibana dashboard. The rendering is local. The intelligence is remote. The boundary is absolute.

Twelve integrations. Zero MCP dependencies. Zero STDIO pipes. Zero command execution paths. Zero CVEs.

We built this on top of Claude. We use Claude every day. We are ride-or-die Anthropic. But we do not use MCP because we read the spec and saw a protocol that trusts the transport, and we build threat intelligence for a living. We know what happens when you trust the transport.

150 million downloads trusted the transport.

analytics.dugganusa.com/stix/pricing

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com