Anthropic won't fix a bug in its SQLite MCP server Anthropic says it won't fix an SQL injection vulnerability in its SQLite Model Context Protocol (MCP) server that a researcher says could be used to hijack a support bot and prompt the AI agent to send customer data to an attacker's email, among other things. MCP is an open-source protocol that Anthropic introduced in November …
Surprised myself but I’m with Anthropic here. If the repo is archived and the concern is that it’s been forked, there’s very little that them pushing a fix to it would achieve. The forks simply won’t pick it up.
This feels a bit like blaming stack overflow for hosting a bad answer. Sure, it’d be better if it wasn’t there but it’s on you if you copy example code and it does something dumb. This wasn’t exactly released software.
If I was anthropic I’d just shrug and delete the repo “fixed”
Sorry, but if there is one company in the world that doesn't get to shrug and say that its not a problem because a human should always be in the loop, its Anthropic.
Anthropic CEO Dario Amodei:
"If I look at coding, programming, which is one area where AI is making the most progress. What we are finding is that we're 3 to 6 months from a world where AI is writing 90% of the code. And then in 12 months, we may be in a world where AI is writing essentially all of the code."
Perhaps I'm just feeling pernickety today, and much as I enjoy a bit of "bash the techbros", but:
>> The MCP specification recommends human oversight for this type of tool – there should always be a human in the loop with the ability to deny tool invocations, meaning users would review these queries before execution.
So they state the specs you are coding against includes supervision.
You point out that Anthropic reckons that code can be written by their "AI". Following the specs.
Where is the conflict?
(Any arguments that the machine-generated code isn't going to follow the specs isn't a conflict, it would just be an argument that the "in 12 months..." opinion isn't proving accurate).
• "Young people: be the life of the party and get laid by beautiful partners! Drink Blotto Beer*"
* "Always drink responsibly."
• "Young people: buy our cool, LED-lit, flashily-styled vape device and nicotene-containing vape juice, and get laid by beautiful partners!§"
§ "The Surgeon-General warns that nicotene is an addictive substance."
• "CEOs: buy our AI Thing, slash headcount, replace the fired workers with our fully-automatic system, get stinkin' rich, and be the envy of all your fellow CEOs!∆"
∆ "All AI inputs and outputs should be monitored and reviewed by humans."
> it’s on you if you copy example code and it does something dumb. This wasn’t exactly released software.
Absolutely.
There is loads of example code around where the intent is "you already know about SQLite[1] and want to have an idea of how to use it with our exciting new code; so, here is a way to tie the two together - note carefully which of our APIs we are using and you can see the straightforward SQL query that it generates".
It is then absolutely reasonable to assume that anybody who wants to expose anything with a database in it to the general public has looked up how to use SQLite's own API to turn *any* "straightforward SQL query" into a safe and robust, fully sanitised[2] invocation - if that code was given in the example then it'll bloat it out and obscure the stuff that is the purpose of the example.
[1] or other package
[2] you are using SQLite's value insertion APIs and not just string concatenation? Loads of lines to set that up, filling in the inputs, pulling out the outputs, commentary on how the query has been tweaked so that these specific filling & pulling calls work - great example if you are trying to teach how to use SQLite (or other package).
everywhere i go i keep hearing that you need to "enable developers" & "allow innovation" this technical design authority, change control, application management & saying NO! NO! to them & slapping them with a rolled up newspaper isn't allowed.
add offshoring to this and " just in time training" as well as somehow developers being able to offload ANY responsibility for anything they do to everyone else.... is it any wonder ransonware, hacking etc is set to become a $10 trillion industry?
Digged into MCP implementation to understand how these millions of bloatware libraries that obfuscate the whole MCP implementation work. Well it seem if you want to run an MCP host, you need a callback on your public HTTPS server to provide the tools of the MCP server to the Agent. Currently ngrok is the go to solution. Well that is never going to work to create public endpoint on on premises servers for employees in a company to use MCP for a particular solution .it a major mistake in the MCP design and only created to keep the control of host by big companies such as anthrophic Claude desktop for big brother watch you. Take care and understand what is under the hood. Until MCP add an API to send tools FROM the host to the agent, MCP is an enterprise failure, only useful for hobbyists that run a dedicated desktop app on their PC.
Actually this situation/design is caused by the agents and not the MCP spec. But surprisingly they all seems to use the same callback solution. OpenAI. Anthropic . Google etc ..
Even worse AFAIK. This callback isn't even protected by OAUTH or other authorization mechanisms.
Another fact is that MCP could easily result in on premises, confidential, data to flow into the Agent's system. Another big red flag
MCP is great idea and I will use it for my own inhouse servers and APIs I can control, (which idiot will implement an SQL call in their MCP server anyhow), but for enterprise, it's a real big question
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
