MCP RCE flaw hits agent stack

MCP’s stdio transport is looking less like a harmless local integration detail and more like a supply-chain boundary that agent builders treated too casually.

• –The scary part is architectural: if untrusted input can influence command or argument configuration, “connect this tool” can become “run this process.”
• –Anthropic’s “expected behavior” stance pushes responsibility onto every downstream app, which is exactly how ecosystem-scale security debt spreads.
• –Developers shipping MCP support should treat server configs like executable code: preapproved commands, sandboxing, no public exposure, and aggressive monitoring.
• –This does not kill MCP, but it does raise the bar for registries, IDEs, and agent platforms that have been optimizing for easy install over constrained execution.