CVE-2025-6514 exposes mcp-remote users to remote code execution risks when connecting to untrusted MCP servers. JFrog researcher Or Peles notes this is the first live instance of such an attack. Users are urged to update to version 0.1.16 and utilize secure connections. The issue highlights ongoing vulnerabilities in related MCP projects. Security standardization in MCP is lacking, with easy exploits via session hijacking and other techniques if trust boundaries aren't properly defined.
The bug, registered as CVE-2025-6514, allows an attacker to execute arbitrary operating system commands on the machine running mcp-remote as soon as it connects to an untrusted MCP server.
Mcp-remote is designed to allow LLM hosts to communicate with external MCP servers, even if they normally only support local communication.
According to JFrog researcher Or Peles, this is the first time that an attack from an MCP server on a client has been successfully carried out in a real-world situation.
Commonly used attack techniques, such as token passing, session hijacking, and the confused deputy problem, can be applied relatively easily if implementations do not set clear boundaries for trust and access control.
Collection
[
|
...
]