STDIO Transport is the MCP communication channel that uses standard input and standard output streams between an MCP Host and a local MCP Server running as a subprocess. When you configure Claude Desktop or Cursor to talk to a GitHub MCP server, an npm filesystem server, or any local tool, STDIO is almost always the transport in play.
The host launches the server as a child process, writes JSON-RPC messages to its stdin, and reads responses from its stdout. STDIO is fast, requires no network setup, and inherits the host’s user identity. That convenience is also where most STDIO-related vulnerabilities come from, because every command-line argument passes through the OS shell.
How STDIO Transport Works
The host reads its mcp.json config and finds an entry like { “command”: “npx”, “args”: [“my-mcp-server”], “env”: {…} }. It calls the OS process spawn API with that command, those arguments, and those environment variables. The new process opens stdin and stdout, the host wires them up, and JSON-RPC traffic starts flowing. Each message is newline-delimited JSON. Environment variables carry credentials. There is no network, no TLS, no OAuth. Trust is inherited from the local user account.
Certified MCP Security Expert
Attack, defend, and pen test MCP servers in 30+ hands-on labs. Get certified.
Why STDIO Transport Has a Different Security Posture
Because STDIO runs as a subprocess on the user’s machine, the MCP spec explicitly says STDIO servers SHOULD NOT use OAuth. Credentials live in environment variables instead. That sounds simple, but it creates real risk. Anthropic’s STDIO interface gave researchers a configuration-to-command-execution path across all official SDK implementations, leading to CVE-2026-30615 and a cascade of related CVEs. The attack pattern: any value the host passes as a command argument can be turned into arbitrary OS execution if not properly validated. STDIO also offers no audience validation, no token scoping, and no central revocation.
How to Secure STDIO Transport
Treat every value in mcp.json as code that will run with user privileges. Pin server packages by exact version and hash. Sandbox each STDIO server inside a container or restricted namespace. Never source mcp.json from untrusted locations or auto-update it from web content. Watch for CurXecute-style attacks where prompt injection rewrites mcp.json on disk. The Certified MCP Security Expert (CMCPSE) course breaks down STDIO attack chains with hands-on CVE reproductions.
Summary
STDIO Transport is the local subprocess channel that powers most MCP server installations today. It skips OAuth in favor of OS-level trust, which makes it fast but also turns every config field into a potential RCE primitive. The Certified MCP Security Expert (CMCPSE) certification teaches you to harden STDIO transports against the exact CVE patterns hitting Anthropic, Cursor, and Windsurf in 2026.