Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads - The Hacker News

Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads Ravie LakshmananJul 10, 2025Vulnerability / AI Security Cybersecurity researchers have discovered a critical vulnerability in the open-source mcp-remote project that could result in the execution of arbitrary operating system (OS) commands. The vulnerability, tracked as CVE-2025-6514, carries a CVSS score of 9.6 out of 10.0. "The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running mcp-remote when it initiates a connection to an untrusted MCP server, posing a significant risk to users – a full system compromise," Or Peles, JFrog Vulnerability Research Team Leader, said. Mcp-remote is a tool that sprang forth following Anthropic's release of Model Context Protocol (MCP), an open-source framework that standardizes the way large language model (LLM) applications integrate and share data with external data sources and services. It acts as a local proxy, enabling MCP clients like Claude Desktop to communicate with remote MCP servers, as opposed to running them locally on the same machine as the LLM application. The npm package has been downloaded more than 437,000 times to date. The vulnerability affects mcp-remote versions from 0.0.5 to 0.1.15. It has been addressed in version 0.1.16 released on June 17, 2025. Anyone using mcp-remote that connects to an untrusted or insecure MCP server using an affected version is at risk. "While previously published research has demonstrated risks from MCP clients connecting to malicious MCP servers, this is the first time that full remote code execution is achieved in a real-world scenario on the client operating system when connecting to an untrusted remote MCP server," Peles said. The shortcoming has to do with how a malicious MCP server operated by a threat actor could embed a command during the initial communication establishment and authorization phase, which, when processed by mcp-remote, causes it to be executed on the underlying operating system. While the issue leads to arbitrary OS command execution on Windows with full parameter control, it results in the execution of arbitrary executables with limited parameter control on macOS and Linux systems. To mitigate the risk posed by the flaw, users are advised to update the library to the latest version and only connect to trusted MCP servers over HTTPS. "While remote MCP servers are highly effective tools for expanding AI capabilities in managed environments, facilitating rapid iteration of code, and helping ensure more reliable delivery of software, MCP users need to be mindful of only connecting to trusted MCP servers using secure connection methods such as HTTPS," Peles said. "Otherwise, vulnerabilities like CVE-2025-6514 are likely to hijack MCP clients in the ever-growing MCP ecosystem." The disclosure comes after Oligo Security detailed a critical vulnerability in the MCP Inspector tool (CVE-2025-49596, CVSS score: 9.4) that could pave the way for remote code execution. Tenable, which also discovered and reported CVE-2025-49596, said the flaw has to do with the fact that the interactive web user interface (UI) launched by MCP Inspector via localhost to communicate with servers lacks any authentication out-of-the-box. This enables an attacker on the same network as the proxy instance to inject malicious commands into it, a scenario called NeighborJacking, or trick a victim into visiting a malicious web page, which embeds JavaScript code that can deceive the proxy component into executing arbitrary code through a cross-site attack. The vulnerabilities lay bare the hidden risks lurking in what has been described as an "USB-C" or a universal adapter for AI application, becoming the backbone infrastructure for connecting apps to different data and tools. "It's crucial to enforce security fundamentals in server development and tool usage," security researcher Rémy Marot said. "Adhering to basic security practices can significantly mitigate risks from vulnerabilities in novel systems and prevent devastating attacks." Earlier this month, two other high-severity security defects were uncovered in Anthropic's Filesystem MCP Server, which, if successfully exploited, could let attackers break out of the server's sandbox, manipulate any file on the host, and achieve code execution. The two flaws, per Cymulate, are listed below - CVE-2025-53110 (CVSS score: 7.3) - A directory containment bypass that makes it possible to access, read, or write outside of the approved directory (e.g., "/private/tmp/allowed_dir") by using the allowed directory prefix on other directories (e.g., "/private/tmp/allow_dir_sensitive_credentials"), thereby opening the door data theft and possible privilege escalation CVE-2025-53109 (CVSS score: 8.4) - A symbolic link (aka symlink) bypass stemming from poor error handling that can be used to point to any file on the file system from within the allowed directory, allowing an attacker to read or alter critical files (e.g., "/etc/sudoers") or drop malicious code, resulting in code execution by making use of Launch Agents, cron jobs, or other persistence techniques Both shortcomings impact all Filesystem MCP Server versions prior to 0.6.3 and 2025.7.1, which include the relevant fixes. "This vulnerability is a serious breach of the Filesystem MCP Servers security model," security researcher Elad Beber said about CVE-2025-53110. "Attackers can gain unauthorized access by listing, reading or writing to directories outside the allowed scope, potentially exposing sensitive files like credentials or configurations." "Worse, in setups where the server runs as a privileged user, this flaw could lead to privilege escalation, allowing attackers to manipulate critical system files and gain deeper control over the host system." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  AI Security, Anthropic, cybersecurity, linux, MacOS, MCP, Open Source, remote code execution, Threat Intelligence, Vulnerability, Windows Trending News Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Load More ▼ Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps