Cybersecurity researchers have discovered a critical vulnerability in the open-source mcp-remote project that could result in the execution of arbitrary operating system (OS) commands.
The vulnerability, tracked as CVE-2025-6514, carries a CVSS score of 9.6 out of 10.0.
“The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running mcp-remote when it initiates a connection to an untrusted MCP server, posing a significant risk to users – a full system compromise,” Or Peles, JFrog Vulnerability Research Team Leader, said.
Mcp-remote is a tool that sprang forth following Anthropic’s release of Model Context Protocol (MCP), an open-source framework that standardizes the way large language model (LLM) applications integrate and share data with external data sources and services.
It acts as a local proxy, enabling MCP clients like Claude Desktop to communicate with remote MCP servers, as opposed to running them locally on the same machine as the LLM application. The npm package has been downloaded more than 437,000 times to date.
The vulnerability affects mcp-remote versions from 0.0.5 to 0.1.15. It has been addressed in version 0.1.16 released on June 17, 2025. Anyone using mcp-remote that connects to an untrusted or insecure MCP server using an affected version is at risk.
“While previously published research has demonstrated risks from MCP clients connecting to malicious MCP servers, this is the first time that full remote code execution is achieved in a real-world scenario on the client operating system when connecting to an untrusted remote MCP server,” Peles said.
The shortcoming has to do with how a malicious MCP server operated by a threat actor could embed a command during the initial communication establishment and authorization phase, which, when processed by mcp-remote, causes it to be executed on the underlying operating system.
While the issue leads to arbitrary OS command execution on Windows with full parameter control, it results in the execution of arbitrary executables with limited parameter control on macOS and Linux systems.
To mitigate the risk posed by the flaw, users are advised to update the library to the latest version and only connect to trusted MCP servers over HTTPS.
“While remote MCP servers are highly effective tools for expanding AI capabilities in managed environments, facilitating rapid iteration of code, and helping ensure more reliable delivery of software, MCP users need to be mindful of only connecting to trusted MCP servers using secure connection methods such as HTTPS,” Peles said.
“Otherwise, vulnerabilities like CVE-2025-6514 are likely to hijack MCP clients in the ever-growing MCP ecosystem.”
The disclosure comes after Oligo Security detailed a critical vulnerability in the MCP Inspector tool (CVE-2025-49596, CVSS score: 9.4) that could pave the way for remote code execution.
Earlier this month, two other high-severity security defects were uncovered in Anthropic’s Filesystem MCP Server, which, if successfully exploited, could let attackers break out of the server’s sandbox, manipulate any file on the host, and achieve code execution.
The two flaws, per Cymulate, are listed below –
- CVE-2025-53110 (CVSS score: 7.3) – A directory containment bypass that makes it possible to access, read, or write outside of the approved directory (e.g., “/private/tmp/allowed_dir”) by using the allowed directory prefix on other directories (e.g., “/private/tmp/allow_dir_sensitive_credentials”), thereby opening the door data theft and possible privilege escalation
- CVE-2025-53109 (CVSS score: 8.4) – A symbolic link (aka symlink) bypass stemming from poor error handling that can be used to point to any file on the file system from within the allowed directory, allowing an attacker to read or alter critical files (e.g., “/etc/sudoers”) or drop malicious code, resulting in code execution by making use of Launch Agents, cron jobs, or other persistence techniques
Both shortcomings impact all Filesystem MCP Server versions prior to 0.6.3 and 2025.7.1, which include the relevant fixes.
“This vulnerability is a serious breach of the Filesystem MCP Servers security model,” security researcher Elad Beber said about CVE-2025-53110. “Attackers can gain unauthorized access by listing, reading or writing to directories outside the allowed scope, potentially exposing sensitive files like credentials or configurations.”
“Worse, in setups where the server runs as a privileged user, this flaw could lead to privilege escalation, allowing attackers to manipulate critical system files and gain deeper control over the host system.”
