From MCP to shell: MCP auth flaws enable RCE in Claude Code, Gemini CLI and more (verialabs.com)

Security researchers at Veria Labs disclosed a chain of vulnerabilities in the Model Context Protocol (MCP) ecosystem that allowed a malicious MCP server to execute arbitrary code on users’ machines. The root cause: many MCP clients blindly trusted an authorization URL supplied by the server during OAuth flows. In Cloudflare’s popular use-mcp library this led to a window.open(authUrl) XSS via javascript: URLs; in Anthropic’s MCP Inspector the XSS could steal a locally-held MCP_PROXY_AUTH_TOKEN and instruct the Inspector proxy (stdio transport) to spawn arbitrary local commands, escalating XSS to full remote code execution (RCE). Researchers demonstrated the exploit by “popping calc” and also devised command-injection payloads that worked against Claude Code and Google’s Gemini CLI by abusing Windows shell/PowerShell URL-launch helpers. This is significant because MCP is designed to let LLMs talk to external tools, so a malicious MCP server can look like a benign connector but deliver executable payloads—enabling session hijack, account takeover, or malware installation. Fixes were rolled out quickly: Anthropic blacklisted dangerous URI schemes in the MCP TypeScript SDK, Cloudflare published strict URL sanitization, Claude Code eliminated unsafe shell usage, and Google replaced the vulnerable open package. The incident underscores that standard web defenses (CSP, URL validation, avoiding shell interpolation) remain critical for securing AI integrations that bridge browser and local processes.