Vulnerability Description
mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL
CVSS Score
9.6
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Related Weaknesses (CWE)
References
- https://github.com/geelen/mcp-remote/commit/607b226a356cb61a239ffaba2fb3db1c9dea
- https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability
- https://research.jfrog.com/vulnerabilities/mcp-remote-command-injection-rce-jfsa
FAQ
What is CVE-2025-6514?
CVE-2025-6514 is a vulnerability with a CVSS score of 9.6 (CRITICAL). mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL
How severe is CVE-2025-6514?
CVE-2025-6514 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-6514?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.