This article was originally published on LucidShark Blog . ← Back to Blog Last week, OX Security published a disclosure that should be on every engineering team's radar. A systemic remote code execution vulnerability in Anthropic's Model Context Protocol affects every official SDK: Python, TypeScript, Java, and Rust. The blast radius: 150 million downloads, 7,000 publicly exposed servers, 10-plus CVEs spawned across downstream projects. Anthropic's response: this is expected behavior. The protocol will not be modified. That means the fix has to come from you. This post is the concrete checklist. What the vulnerability does: MCP's STDIO transport mechanism executes commands before validation. The sequence is: receive command, run subprocess, then check if the process was a legitimate MCP server. If it wasn't, an error is returned, but the command has already executed. Whoever controls the content of that command field controls what runs on your machine.…