MCP - A security vulnerability was found in the MCP

Found a command injection vulnerability in Claude Code's MCP server launching. There's zero input validation on MCP server arguments before they're passed to spawn() at services/mcp/headersHelper.ts:62. A malicious MCP server config could run arbitrary commands on the system. Source: https://x.com/vectorspace21/status/2038956110993084908