MCP STDIO injection silently rewrites config files
Prompt injection can rewrite mcp.json without user interaction or dialog, chaining to arbitrary code execution via the official MCP SDK—and vendors are declining CVEs on the grounds that config modification is "spec-conformant."
June 3, 2026
Summary
The attack surface shrinks with each iteration: TrustFall required a dialog, AWS Kiro changed config after review, Windsurf zero-click makes the rewrite invisible. Your IDE's permission model collapses into "you ran the software," and the vendors who own the protocol won't treat this as a defect.
Why it matters
The attack surface shrinks with each iteration: TrustFall required a dialog, AWS Kiro changed config after review, Windsurf zero-click makes the rewrite invisible. Your IDE's permission model collapses into "you ran the software," and the vendors who own the protocol won't treat this as a defect.
Implementation verdict
This is a protocol-level design problem, not a single bug. Windsurf patched their instance; the mitigation (allowlist STDIO commands to {npx, uvx, python, python3, node, docker, deno}) requires each implementation to add it themselves. Watch your config layer instead—audit mcp.json and .claude/settings.json for state changes outside your control, flag them to your SIEM. Ready now if you can't wait for upstream consensus.
Sources
- 1.opening HTML silently rewrites mcp.json. No dialog at all.
- 2.the official MCP SDK passes user-controllable config values into StdioServerParameters without sanitization, and that flows straight into spawning a subprocess
- 3.a known operational mitigation: allowlist the STDIO command value to known launchers, e.g. {npx, uvx, python, python3, node, docker, deno}
- 4.12+ CVEs under one pattern — RCE via MCP STDIO
- 5."explicit user permission" collapses into "you ran the IDE."
Dev Signal
Get briefs like this in your inbox — free, 3x a week.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.