How does the CVE-2025-6514 vulnerability work?

The vulnerability is caused by insufficient input validation during the OAuth authentication process in mcp-remote. It allows manipulation of the authorization_endpoint response URL during OAuth authentication. The mcp-remote will try to open this crafted URL in a browser, causing command injection and allowing arbitrary OS command execution.

Which versions of mcp-remote are affected by CVE-2025-6514?

The vulnerability affects mcp-remote versions 0.0.5 through 0.1.15. Organizations should immediately update to the patched version 0.1.16.

What should organizations do to protect against this mcp-remote vulnerability?

Organizations should immediately update mcp-remote to version 0.1.16 and make sure to only connect to trusted MCP Servers using HTTPS connections for secure communication.

How serious is the CVE-2025-6514 vulnerability?

CVE-2025-6514 has a CVSS score of 9.6, making it a critical severity vulnerability. The ability for attackers to achieve arbitrary OS command execution makes this an extremely serious security threat requiring immediate attention.

Advisory

Critical remote code execution flaw in mcp-remote exposes AI Systems to compromise

Q: What is the critical vulnerability found in mcp-remote?

JFrog Security Research reported a critical vulnerability tracked as CVE-2025-6514 (CVSS score 9.6) in the mcp-remote project that enables attackers to run operating system commands on machines running the affected software through insufficient input validation during OAuth authentication.

Q: Can you provide an example of how the mcp-remote vulnerability is exploited?

A malicious MCP server can provide an authorization_endpoint JSON like {"authorization_endpoint": "file:/c:/windows/system32/cmd.exe"}. The file:// protocol handler combined with the path to an executable causes the system to launch the specified program, allowing attackers to execute cmd.exe, powershell.exe, or any malicious executable.

Q: What makes this mcp-remote vulnerability historically significant?

This is the first documented case of remote code execution through a Model Context Protocol (MCP) client in real-world scenarios, making it a significant milestone in MCP security research.

Q: What do security experts recommend for MCP users?

Or Peles from JFrog noted that MCP users need to be mindful of only connecting to trusted MCP servers using secure connection methods such as HTTPS. Otherwise, vulnerabilities like CVE-2025-6514 are likely to hijack MCP clients in the ever-growing MCP ecosystem.

published: July 11, 2025

Take action: If you use the mcp-remote npm package for connecting local LLM hosts to remote MCP servers, plan an urgent update to version 0.1.16. The flaw allows malicious MCP servers can push back commands to your computer and hack you. Also, make sure to only connect to trusted MCP servers using HTTPS connections.

Learn More

JFrog Security Research is reporting a critical vulnerability in the widely-used mcp-remote project that enables attackers to run operating system commands on machines running the affected software.

The mcp-remote project is a proxy that enables Large Language Model (LLM) hosts such as Claude Desktop to communicate with remote MCP servers, even when these hosts natively only support local MCP server connections. The npm package has been downloaded more than 437,000 times to date.

This vulnerability is tracked as CVE-2025-6514 (CVSS score 9.6) and is caused by insufficient input validation during the OAuth authentication process in mcp-remote. It allows manipulation of the authorization_endpoint response URL during the OAuth authentication process. The mcp-remote will try to open this crafted URL in a browser, which, due to CVE-2025-6514, will cause a command injection, allowing the attacker to achieve arbitrary OS command execution

The vulnerability can be triggered by a malicious MCP server that provides the following authorization_endpoint JSON

{
  "authorization_endpoint": "file:/c:/windows/system32/cmd.exe"
}

The file:// protocol handler combined with the path to an executable causes the system to launch the specified program. In this example, calc.exe (Windows Calculator) is executed as proof of concept. An attacker could replace this with any executable path, including:

cmd.exe for command shell access
powershell.exe for PowerShell execution
Malicious executables dropped by previous attacks

It's the first documented case of remote code execution through a Model Context Protocol (MCP) client in real-world scenarios.

The vulnerability affects mcp-remote versions 0.0.5 through 0.1.15.

The patched version of mcp-remote is 0.1.16. The impact varies by operating system, with Windows systems facing the highest risk of full shell command execution. macOS and Linux systems can be affected by a more limited but still dangerous executable launches.

Or Peles, Vulnerability Research Team Leader at JFrog noted "MCP users need to be mindful of only connecting to trusted MCP servers using secure connection methods such as HTTPS. Otherwise, vulnerabilities like CVE-2025-6514 are likely to hijack MCP clients in the ever-growing MCP ecosystem."

Organizations should immediately update mcp-remote to version 0.1.16. Also, make sure to only connect to trusted MCP Servers, using HTTPS.

Critical remote code execution flaw in mcp-remote exposes AI Systems to compromise

Read More
Oracle Issues Emergency Patch for Critical Vulnerability in …
Oracle issues 389 patches with January 2024 update
PHP fixes critical vulnerability impacting all Windows PHP …
Critical privilege escalation flaw in Apache StreamPipes allows …
Meta and researchers in dispute about severity of …