From MCP to shell: MCP auth flaws enable RCE in Claude Code, Gemini CLI and more
5 hours ago
- #Remote Code Execution
- #OAuth Vulnerabilities
- #Cybersecurity
- Security testing revealed vulnerabilities in MCP server connections via tools like Claude Code and Gemini CLI, allowing attackers remote control over user computers.
- Exploits demonstrated include 'popping calc' (remote code execution) and potential for installing malware or reverse shells.
- MCP's OAuth standard introduced vulnerabilities due to clients not validating authorization URLs from malicious servers.
- Cloudflare's use-mcp library was found vulnerable to XSS attacks via arbitrary JavaScript execution from server-supplied URLs.
- Anthropic's MCP Inspector was exploited to escalate XSS to Remote Code Execution (RCE) using the stdio transport.
- Claude Code and Gemini CLI were vulnerable to command injection, allowing arbitrary code execution on user systems.
- ChatGPT's Developer Mode was nearly exploited similarly but was protected by its Content Security Policy (CSP).
- Industry responses included fixes like URL sanitization, eliminating shell usage, and updating SDKs to block dangerous URI schemes.
- Acknowledgements were given to Cloudflare, Anthropic, and Google VRP for their swift patching and bounty programs.
- The incident underscores the importance of defense-in-depth strategies and the benefits of broad, upstream security improvements in the AI ecosystem.