[jdns]

i'd honestly say it's closer (but not analogous) to opening a website in your browser. you wouldn't expect javascript on a website to be able to escape the sandbox and run arbitrary code on your computer.

companies taking this seriously and awarding bounties is indicative it's fairly severe

[datadrivenangel]

Malware from untrusted websites is as old as the internet. With advertisements, even trusted sites can deliver hostile content.

The RCE/Malware issue aside, if the website you go to is a login page for some service, do you know it's the legitimate website? MCP Phishing is going to be a thing

[mehdibl]

this issue is not even MCP at the core. Claude Code/ Gemini CLI were opening "url's" without sanitization and validation. That's the core flaw. There is a second issue with an XSS flawed package too in the bridge that is easy to patch.

So there is a chain of issues and you need to leverage them to get there and first pick an MCP that is flawed from a bad actor.

[jdns]

yeah, i was comparing MCP clients to browsers. connecting to an MCP shouldn't leave you vulnerable to RCE on your host.

also, the way MCP servers are presented right now is in sort of a "marketplace" fashion meaning it's not out of the question you could find one hosted by a bad actor. PyPI/npm are also like this, but it's different since it's not like you can vet the source code of a running MCP. packages are also versioned, unlike MCP where whoever is hosting them can change the behaviour at any time without notice.

[fulafel]

JS has been able to escape the sandbox as long as browsers had JS support.

The stream of vulnerability discoveries has been constant.