CVE-2025-6514 PUBLISHED

OS command injection in mcp-remote when connecting to untrusted MCP servers

Assigner: JFROG
Reserved: 23.06.2025 Published: 09.07.2025 Updated: 09.07.2025

mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS Score: 9.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Package Collection	https://registry.npmjs.org
Package Name	mcp-remote
Versions	Default: unaffected affected from 0.0.5 to 0.1.15 (incl.)

References

https://research.jfrog.com/vulnerabilities/mcp-remote-command-injection-rce-jfsa-2025-001290844/
https://github.com/geelen/mcp-remote/commit/607b226a356cb61a239ffaba2fb3db1c9dea4bac
https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability

Problem Types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE