Critical mcp-remote Vulnerability Exposes LLM Clients to Remote Code Execution Attacks
A critical vulnerability CVE-2025-6514 with a CVSS score of 9.6 affecting the mcp-remote project allows attackers to achieve arbitrary operating system command execution on machines running mcp-remote when connecting to untrusted Model Context Protocol (MCP) servers.
The vulnerability affects versions 0.0.5 through 0.1.15 and poses significant risks to Large Language Model (LLM) clients using remote MCP server connections, potentially leading to complete system compromise.
Key Takeaways
1. CVE-2025-6514: Critical RCE vulnerability in mcp-remote versions 0.0.5–0.1.15 via untrusted MCP server connections.
2. Malicious OAuth authorization_endpoint URLs trigger command injection through PowerShell subexpression evaluation.
3. Update to mcp-remote v0.1.16 and use HTTPS-only connections to trusted servers.
4. Audit MCP configurations and enforce strict server trust policies.
mcp-remote Critical RCE Flaw (CVE-2025-6514)
According to the JFrog security research team report, CVE-2025-6514 exploits the OAuth authorization flow in mcp-remote, a proxy tool that enables LLM hosts like Claude Desktop to communicate with remote MCP servers.
The vulnerability manifests when users configure their LLM clients to connect to untrusted or compromised MCP servers through HTTP connections.
Two primary attack scenarios emerge from this vulnerability. First, direct connections to malicious MCP servers allow attackers to inject malicious payloads through the OAuth authorization endpoint.
Second, man-in-the-middle attacks on insecure HTTP connections enable local network attackers to hijack MCP traffic and redirect it to malicious servers.
The configuration process involves editing Claude’s JSON configuration file:
The vulnerability occurs during the OAuth metadata discovery phase when mcp-remote requests authorization server metadata from the remote MCP server. Malicious servers respond with crafted authorization_endpoint values that exploit the open npm package’s behavior.
The attack leverages PowerShell’s subexpression evaluation feature on Windows systems.
When the malicious server returns a crafted authorization endpoint like “a:$(cmd.exe /c whoami > c:\temp\pwned.txt)”, the open() function processes this through PowerShell, executing arbitrary commands:
The PowerShell command execution bypasses URL encoding restrictions by using non-standard URI schemes, enabling full command injection with parameter control on Windows systems.
| Risk Factors | Details |
| Affected Products | mcp-remote versions 0.0.5 to 0.1.15 |
| Impact | Remote Code Execution (RCE) |
| Exploit Prerequisites | Connection to untrusted/malicious MCP server OR insecure HTTP connection vulnerable to man-in-the-middle attacks |
| CVSS 3.1 Score | 9.6 (Critical) |
Mitigation Strategies
Organizations must implement immediate remediation measures to address CVE-2025-6514. The primary solution involves updating mcp-remote to version 0.1.16, which contains the security fix.
Users should verify their current version and upgrade immediately if running affected versions.
Additionally, security best practices include connecting exclusively to trusted MCP servers using HTTPS connections to prevent man-in-the-middle attacks.
Organizations should audit their MCP server configurations and remove any insecure HTTP connections from their LLM client configurations.
As LLM hosts like Cursor, Windsurf, and Claude Desktop add native remote MCP connectivity, security teams must remain vigilant for similar command injection vulnerabilities in related tools and maintain strict server trust policies.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link
