Critical Vulnerability in mcp-remote Tool Poses Severe Risk to AI Applications

Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads

Cybersecurity researchers have discovered a critical vulnerability in the open-source mcp-remote project that could result in the execution of arbitrary operating system (OS) commands. The vulnerability, tracked as CVE-2025-6514, carries a CVSS score of 9.6 out of 10.0. "The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running mcp-remote when it initiates a connection to an untrusted MCP server, posing a significant risk to users - a full system compromise," Or Peles, JFrog Vulnerability Research Team Leader, said. Mcp-remote is a tool that sprang forth following Anthropic's release of Model Context Protocol (MCP), an open-source framework that standardizes the way large language model (LLM) applications integrate and share data with external data sources and services. It acts as a local proxy, enabling MCP clients like Claude Desktop to communicate with remote MCP servers, as opposed to running them locally on the same machine as the LLM application. The npm package has been downloaded more than 437,000 times to date. The vulnerability affects mcp-remote versions from 0.0.5 to 0.1.15. It has been addressed in version 0.1.16 released on June 17, 2025. Anyone using mcp-remote that connects to an untrusted or insecure MCP server using an affected version is at risk. "While previously published research has demonstrated risks from MCP clients connecting to malicious MCP servers, this is the first time that full remote code execution is achieved in a real-world scenario on the client operating system when connecting to an untrusted remote MCP server," Peles said. The shortcoming has to do with how a malicious MCP server operated by a threat actor could embed a command during the initial communication establishment and authorization phase, which, when processed by mcp-remote, causes it to be executed on the underlying operating system. While the issue leads to arbitrary OS command execution on Windows with full parameter control, it results in the execution of arbitrary executables with limited parameter control on macOS and Linux systems. To mitigate the risk posed by the flaw, users are advised to update the library to the latest version and only connect to trusted MCP servers over HTTPS. "While remote MCP servers are highly effective tools for expanding AI capabilities in managed environments, facilitating rapid iteration of code, and helping ensure more reliable delivery of software, MCP users need to be mindful of only connecting to trusted MCP servers using secure connection methods such as HTTPS," Peles said. "Otherwise, vulnerabilities like CVE-2025-6514 are likely to hijack MCP clients in the ever-growing MCP ecosystem." The disclosure comes after Oligo Security detailed a critical vulnerability in the MCP Inspector tool (CVE-2025-49596, CVSS score: 9.4) that could pave the way for remote code execution. Earlier this month, two other high-severity security defects were uncovered in Anthropic's Filesystem MCP Server, which, if successfully exploited, could let attackers break out of the server's sandbox, manipulate any file on the host, and achieve code execution. The two flaws, per Cymulate, are listed below - Both shortcomings impact all Filesystem MCP Server versions prior to 0.6.3 and 2025.7.1, which include the relevant fixes. "This vulnerability is a serious breach of the Filesystem MCP Servers security model," security researcher Elad Beber said about CVE-2025-53110. "Attackers can gain unauthorized access by listing, reading or writing to directories outside the allowed scope, potentially exposing sensitive files like credentials or configurations." "Worse, in setups where the server runs as a privileged user, this flaw could lead to privilege escalation, allowing attackers to manipulate critical system files and gain deeper control over the host system."

JFrog : Security Research Team Discovers Critical Remote Code Execution Vulnerability Hijacking mcp-remote Clients

Sunnyvale, Calif. - July 9, 2025- Today, the JFrog Security Research team announced its discoveryof a critical vulnerability in an mcp-remoteserver capable of performing remote code execution. The vulnerability, CVE-2025-6514(CVSS 9.6score), is capable of triggering arbitrary OS command execution when Model Context Protocol (MCP) clients, such as Claude Desktop, connect to an untrusted MCP server through mcp-remote. A successful attack results in the most severe consequence for the victim: complete system compromise. "While remote MCP servers are highly effective tools for expanding AI capabilities in managed environments, facilitating rapid iteration of code, and helping ensure more reliable delivery of software, MCP users need to be mindful when using them," said Or Peles, JFrog Senior Security Researcher and lead on the study. "It's important that users connect to trusted MCP clients using secure connection methods such as HTTPS. Otherwise, vulnerabilities like CVE-2025-6514 could hijack MCP clients to varying degrees of impact." The mcp-remote tool gained popularity in the AI community when remote MCP server implementations began to emerge, enabling LLM models to interact with external data and tools. While most MCP clients still only supported connecting to local servers, this tool enabled applications that previously only supported local MCP transport via STDIO, such as Claude Desktop, Cursor, and Windsurf, to connect with remote MCP servers via HTTP transport by serving as a proxy. The CVE-2025-6514(CVSS 9.6score) vulnerability affects versions 0.0.5 to 0.1.15of mcp-remote and has been fixed in version 0.1.16. The JFrog Security Research Team strongly advises users of this function to: For more information and technical details, visit: https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability About JFrog