Jul 10, 2025Ravie LakshmananVulnerability / AI Safety
Cybersecurity researchers have found a crucial vulnerability within the open-source mcp-remote mission that would outcome within the execution of arbitrary working system (OS) instructions.
The vulnerability, tracked as CVE-2025-6514, carries a CVSS rating of 9.6 out of 10.0.
“The vulnerability permits attackers to set off arbitrary OS command execution on the machine working mcp-remote when it initiates a connection to an untrusted MCP server, posing a major danger to customers – a full system compromise,” Or Peles, JFrog Vulnerability Analysis Group Chief, mentioned.
Mcp-remote is a instrument that sprang forth following Anthropic’s launch of Mannequin Context Protocol (MCP), an open-source framework that standardizes the best way giant language mannequin (LLM) functions combine and share knowledge with exterior knowledge sources and companies.
It acts as a neighborhood proxy, enabling MCP purchasers like Claude Desktop to speak with distant MCP servers, versus working them regionally on the identical machine because the LLM software. The npm bundle has been downloaded greater than 437,000 instances to this point.
The vulnerability impacts mcp-remote variations from 0.0.5 to 0.1.15. It has been addressed in model 0.1.16 launched on June 17, 2025. Anybody utilizing mcp-remote that connects to an untrusted or insecure MCP server utilizing an affected model is in danger.
“Whereas beforehand printed analysis has demonstrated dangers from MCP purchasers connecting to malicious MCP servers, that is the primary time that full distant code execution is achieved in a real-world situation on the shopper working system when connecting to an untrusted distant MCP server,” Peles mentioned.
The shortcoming has to do with how a malicious MCP server operated by a menace actor might embed a command in the course of the preliminary communication institution and authorization section, which, when processed by mcp-remote, causes it to be executed on the underlying working system.
Whereas the difficulty results in arbitrary OS command execution on Home windows with full parameter management, it leads to the execution of arbitrary executables with restricted parameter management on macOS and Linux methods.
To mitigate the chance posed by the flaw, customers are suggested to replace the library to the most recent model and solely hook up with trusted MCP servers over HTTPS.
“Whereas distant MCP servers are extremely efficient instruments for increasing AI capabilities in managed environments, facilitating speedy iteration of code, and serving to guarantee extra dependable supply of software program, MCP customers must be conscious of solely connecting to trusted MCP servers utilizing safe connection strategies equivalent to HTTPS,” Peles mentioned.
“In any other case, vulnerabilities like CVE-2025-6514 are more likely to hijack MCP purchasers within the ever-growing MCP ecosystem.”
The disclosure comes after Oligo Safety detailed a crucial vulnerability within the MCP Inspector instrument (CVE-2025-49596, CVSS rating: 9.4) that would pave the best way for distant code execution.
Earlier this month, two different high-severity safety defects had been uncovered in Anthropic’s Filesystem MCP Server, which, if efficiently exploited, might let attackers escape of the server’s sandbox, manipulate any file on the host, and obtain code execution.
The 2 flaws, per Cymulate, are listed under –
CVE-2025-53110 (CVSS rating: 7.3) – A listing containment bypass that makes it potential to entry, learn, or write outdoors of the authorised listing (e.g., “/non-public/tmp/allowed_dir”) through the use of the allowed listing prefix on different directories (e.g., “/non-public/tmp/allow_dir_sensitive_credentials”), thereby opening the door knowledge theft and potential privilege escalation
CVE-2025-53109 (CVSS rating: 8.4) – A symbolic hyperlink (aka symlink) bypass stemming from poor error dealing with that can be utilized to level to any file on the file system from throughout the allowed listing, permitting an attacker to learn or alter crucial information (e.g., “/and so on/sudoers”) or drop malicious code, leading to code execution by making use of Launch Brokers, cron jobs, or different persistence methods
Each shortcomings influence all Filesystem MCP Server variations previous to 0.6.3 and 2025.7.1, which embrace the related fixes.
“This vulnerability is a severe breach of the Filesystem MCP Servers safety mannequin,” safety researcher Elad Beber mentioned about CVE-2025-53110. “Attackers can achieve unauthorized entry by itemizing, studying or writing to directories outdoors the allowed scope, doubtlessly exposing delicate information like credentials or configurations.”
“Worse, in setups the place the server runs as a privileged consumer, this flaw might result in privilege escalation, permitting attackers to control crucial system information and achieve deeper management over the host system.”
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.
