Critical mcp-remote flaw lets attackers hijack AI client systems

A critical vulnerability labelled CVE-2025-6514 has been discovered in mcp-remote, a tool frequently used by Model Context Protocol clients, posing a significant security risk to users running versions 0.0.5 to 0.1.15.

The JFrog Security Research team revealed that the flaw enables attackers to execute arbitrary operating system commands on machines where mcp-remote initiates connections to untrusted Model Context Protocol (MCP) servers. This vulnerability, which is addressed in version 0.1.16, represents the first documented instance of full remote code execution against a client device via a real-world scenario involving untrusted MCP servers.

Widespread impact

According to the researchers, MCP's popularity has surged due to its use in enabling AI assistants and large language models (LLMs) to interact securely and in real-time with external data and services. The mcp-remote proxy specifically allows LLM hosts, such as Claude Desktop, to communicate with remote MCP servers even when they only natively support connections to local MCP servers. This capacity has seen mcp-remote's adoption in various software and documentation, including official guides from Cloudflare and integrations with platforms such as auth0 and Hugging Face.

The vulnerability exposes users to the risk of arbitrary OS command execution if mcp-remote is used to connect to either a malicious or hijacked MCP server, or to an MCP server over insecure connections. Under such conditions, attackers could gain remote code execution on client systems. The risk is especially pronounced on Windows, where the researchers demonstrated an exploit capable of executing shell commands with full parameter control. On macOS and Linux, the vulnerability enables execution of arbitrary binaries with more limited control, but further research may broaden its applicability.

Attack vectors

JFrog identified two key scenarios through which the attack can be executed. The first involves an MCP client connecting to an untrusted or compromised remote server using mcp-remote, which could be orchestrated by a threat actor setting up a hostile server or hijacking MCP infrastructure. The second scenario leverages insecure connections - specifically, HTTP rather than HTTPS - where an attacker on the same local network intercepts and manipulates MCP traffic between the client and server, a situation more likely when MCP servers within local area networks are trusted implicitly and insecure connections allowed.

Technical breakdown

The vulnerability is triggered during the initial setup between mcp-remote and a remote MCP server. When configuring an LLM host like Claude Desktop to connect to a remote MCP server, users typically enter server details in a configuration file. Upon starting the connection, mcp-remote exchanges authentication data with the server. A malicious server can modify the OAuth endpoint responses - for example, sending a crafted 'authorization_endpoint' URL - which mcp-remote subsequently processes. Due to the flaw, mcp-remote may inadvertently execute arbitrary operating system commands during this process, allowing the attacker significant control over the affected system.

On Windows, the attack chain exploits the way mcp-remote interacts with PowerShell through the open-source 'open' npm package, achieving command execution by inserting specially crafted URLs. Although the same 'open' routines exist on macOS and Linux, their exploitation potential is currently more limited.

Mitigation available

JFrog advises all users of mcp-remote to update to version 0.1.16, which includes a fix for CVE-2025-6514. Additional recommendations include strictly connecting only to trusted MCP servers using encrypted HTTPS connections, and reviewing access policies for MCP infrastructure, especially in environments where remote MCP servers are used.

Or Peles, JFrog Vulnerability Research Team Leader, stated:

"While remote MCP servers are highly effective tools for expanding AI capabilities in managed environments, facilitating rapid iteration of code, and helping ensure more reliable delivery of software, MCP users need to be mindful of only connecting to trusted MCP servers using secure connection methods such as HTTPS. Otherwise, vulnerabilities like CVE-2025-6514 are likely to hijack MCP clients in the ever-growing MCP ecosystem."

The research team also acknowledged Glen Maddern, mcp-remote's primary maintainer, for the prompt resolution and patch deployment addressing the issue.

MCP, an open protocol standard introduced in late 2024, has facilitated the integration of LLMs with external data and enterprise systems, both locally and remotely. While this approach expands the capabilities of AI-powered applications, the discovery of CVE-2025-6514 underlines the security responsibilities associated with deploying and connecting to MCP infrastructure.

Users are encouraged to install the latest version of mcp-remote and to audit existing deployments for potentially vulnerable configurations. Connections to MCP servers should always be established over HTTPS with appropriate trust boundaries to mitigate the risks highlighted by this vulnerability.