Critical MCP-Remote Vulnerability Enables Remote OS Command Execution

HomeNews* Researchers found a critical security flaw in the mcp-remote tool allowing attackers to execute system commands.

• The vulnerability, labeled CVE-2025-6514, received a high severity CVSS score of 9.6 out of 10.
• Attackers could compromise computers running vulnerable mcp-remote versions when connecting to unsafe Model Context Protocol (MCP) servers.
• The issue affects mcp-remote versions 0.0.5 to 0.1.15 and was fixed in version 0.1.16 released on June 17, 2025.
• Experts urge users to update affected software and connect only to trusted MCP servers over secure (HTTPS) channels. Cybersecurity experts have identified a major vulnerability in the open-source mcp-remote project that can let attackers run operating system commands on affected systems. This flaw was reported on July 10, 2025 and impacts anyone using mcp-remote to connect with Model Context Protocol (MCP) servers. The vulnerability places users at risk for a complete system takeover if they connect to a malicious remote MCP server.

• Advertisement - The security weakness, known as CVE-2025-6514, received a critical CVSS score of 9.6 out of 10. According to Or Peles, leader of the JFrog Vulnerability Research Team, “The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running mcp-remote when it initiates a connection to an untrusted MCP server, posing a significant risk to users – a full system compromise.”

mcp-remote is a local proxy that helps large language model (LLM) apps, like Claude Desktop, communicate with remote MCP servers instead of running them locally. The npm package has been downloaded over 437,000 times so far. The flaw, now patched in version 0.1.16, affects all previous versions from 0.0.5. Users who connect mcp-remote to untrusted or insecure MCP servers are most at risk.

The vulnerability allows a malicious server to embed a command during the initial handshake. When mcp-remote processes this, it executes the command on the underlying system. On Windows, attackers get full control of command parameters. On macOS and Linux, they can run programs but with fewer options. Security teams recommend updating to the latest version and connecting only to trusted servers via HTTPS.

Earlier research warned of risks when MCP clients connect to dangerous servers, but this is the first time remote code execution on the client has been confirmed in real use. “While remote MCP servers are highly effective tools for expanding AI capabilities in managed environments… MCP users need to be mindful of only connecting to trusted MCP servers using secure connection methods such as HTTPS,” Peles stated.

Other recent vulnerabilities have also come to light in the MCP ecosystem. For instance, a flaw in MCP Inspector (CVE-2025-49596) could also enable remote code execution. Two more high-severity bugs were found in Anthropic‘s Filesystem MCP Server:

• CVE-2025-53110 (CVSS 7.3): Allows attackers to access, read, or alter data outside of permitted folders, risking data theft and privilege gains.
• CVE-2025-53109 (CVSS 8.4): Lets attackers use symbolic links to reach sensitive files or place malicious code for system compromise.

These server flaws affect all versions before 0.6.3 and 2025.7.1. Security professionals caution that, especially when these servers run with high system privileges, the risk of deeper system compromise grows.

• Advertisement - #### Previous Articles:

• Tesla to Expand Robotaxi Service in Austin, Bay Area This Weekend
• BIS Finds Tokenized Government Bonds Offer Tighter Market Spreads
• DeFi Backdoor Threatens $10M as Texture, Kinto Face Attacks
• US House to Hold Crypto Tax Hearing as Key Crypto Bills Advance
• Fake Crypto Startups Use Social Media to Spread Wallet-Stealing Malware

• Advertisement -