Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain
Details
CVSS v3
9.9
CVSS v4
9.3
NVD published
2025-09-08 20:15:35
EPSS
0.2% probability · 48.5th percentile — 2026-04-19
Affected versions
Not available in our cache.
Summary
@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Prior to version 0.0.13, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool `which-app-on-port` which relies on Node.js child process API `exec` which is an unsafe and vulnerable API if concatenated with untrusted user input. Version 0.0.13 contains a fix for the issue.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.