Critical mcp remote Vulnerability Enables LLM Clients to Remote Code Execution

The JFrog Security Research team has discovered a critical security vulnerability in mcp-remote, a widely used tool that enables Large Language Model clients to communicate with remote servers, potentially allowing attackers to achieve full system compromise through remote code execution.

Severe Security Flaw Affects Popular AI Tool

CVE-2025-6514, rated with a critical CVSS score of 9.6, affects mcp-remote versions 0.0.5 to 0.1.15. The vulnerability allows attackers to trigger arbitrary operating system command execution on machines running mcp-remote when it connects to untrusted Model Context Protocol (MCP) servers.

This represents the first documented case of achieving full remote code execution in a real-world scenario involving MCP client-server communications.

The mcp-remote tool serves as a proxy enabling LLM hosts like Claude Desktop, Cursor, and Windsurf to communicate with remote MCP servers, even when they natively only support local server connections.

As remote MCP implementations have gained popularity in the AI community, mcp-remote has become widely adopted, with documentation appearing in Cloudflare’s official guides, Auth0 integration materials, and Hugging Face tutorials.

Attack Vectors and Impact

Security researchers identified two primary attack scenarios. First, malicious actors can directly compromise MCP clients that connect to untrusted or hijacked MCP servers.

Second, attackers positioned within local networks can perform man-in-the-middle attacks against clients connecting insecurely to MCP servers using HTTP rather than HTTPS protocols.

The vulnerability exploits mcp-remote’s OAuth authorization flow. When establishing connections, the tool requests server metadata including authorization endpoints.

Malicious servers can respond with specially crafted authorization endpoint URLs that trigger command injection when mcp-remote attempts to open them in a browser.

On Windows systems, researchers demonstrated complete arbitrary command execution with full parameter control.

On macOS and Linux platforms, the vulnerability enables execution of arbitrary executables with limited parameter control, though further research may reveal paths to complete command execution on these systems as well.

Glen Maddern, mcp-remote’s primary maintainer, promptly addressed the vulnerability following responsible disclosure.

Users can protect themselves by updating to version 0.1.16, which includes comprehensive fixes for the security flaw.

Additional protective measures include exclusively connecting to trusted MCP servers using secure HTTPS connections and avoiding HTTP-based communications that could be intercepted or manipulated by attackers.

The Model Context Protocol emerged in November 2024 as an open standard enabling AI assistants to securely access external data sources, tools, and services in real-time.

Initially designed for local server deployments, the protocol has rapidly evolved to support remote implementations, reducing operational complexity for organizations managing multiple LLM applications.

Recent developments show major LLM providers adding native remote MCP support, with Cursor and Windsurf implementing direct remote connectivity, and Anthropic extending this capability to paid Claude Desktop subscribers.

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.