Critical mcp-remote Vulnerability (CVE-2025-6514) Enables Remote Code Execution on Client Systems
Cybersecurity researchers have disclosed a critical remote code execution (RCE) vulnerability in the popular open-source project mcp-remote, tracked as CVE-2025-6514 with a CVSS score of 9.6. This vulnerability allows attackers to execute arbitrary operating system commands when a vulnerable MCP client connects to a malicious or untrusted remote MCP server.
The flaw poses a severe risk of full system compromise, especially in enterprise environments where AI tooling like Claude Desktop depends on MCP infrastructure for enhanced LLM workflows.
What is mcp-remote?
mcp-remote is an open-source tool created to support Anthropic’s Model Context Protocol (MCP) — a framework that standardizes how large language models (LLMs) access and interact with external data sources. Acting as a local proxy, mcp-remote allows applications to connect to remote MCP servers, offloading compute or context management without hosting locally.
Since its inception, the package has been downloaded over 437,000 times from npm.
About the Vulnerability
According to Or Peles, Vulnerability Research Lead at JFrog, the issue exists in how mcp-remote handles initial handshake and authorization messages from remote MCP servers. A malicious server can embed OS-level commands during this phase, which are then executed by the client system running mcp-remote.
“The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running
mcp-remotewhen it initiates a connection to an untrusted MCP server.”
— Or Peles, JFrog
Platform-specific Impact:
-
Windows: Full OS command execution with parameter control.
-
Linux/macOS: Execution of arbitrary executables, but with limited parameter control.
Affected Versions:
-
All versions from 0.0.5 to 0.1.15
-
Fixed in version 0.1.16 (Released June 17, 2025)
Real-World Exploitation Risks
While prior research highlighted risks from malicious MCP servers, this is the first documented RCE exploit affecting real-world client systems. The implications are serious, particularly in LLM-centric environments where tools like mcp-remote serve as critical backend infrastructure.
Mitigation Recommendations:
-
Upgrade immediately to
mcp-remotev0.1.16 or higher -
Only connect to trusted MCP servers
-
Enforce HTTPS-only communication with remote endpoints
Broader MCP Ecosystem Concerns
This disclosure follows several recent high-profile vulnerabilities across the MCP ecosystem:
1. CVE-2025-49596 – MCP Inspector (CVSS 9.4)
Reported by Oligo Security. Enables RCE through insecure MCP inspection routines.
2. CVE-2025-53109 & CVE-2025-53110 – Filesystem MCP Server
Reported by Cymulate, affecting all versions prior to 0.6.3 and 2025.7.1.
-
CVE-2025-53110 (CVSS 7.3): Directory traversal flaw allows reading/writing outside the restricted scope.
-
CVE-2025-53109 (CVSS 8.4): Symlink bypass vulnerability that can be abused for persistence and privilege escalation.
“This is a serious breach of Filesystem MCP Server’s security model,”
— Elad Beber, Cymulate
No comments:
Post a Comment