Critical mcp-remote Vulnerability Enables Remote Code Execution in LLM Clients

A critical security vulnerability in mcp-remote, a widely-used proxy tool that enables Large Language Model applications to connect with remote Model Context Protocol servers.

Designated as CVE-2025-6514 with a CVSS score of 9.6, this vulnerability allows attackers to achieve arbitrary operating system command execution when users connect to untrusted MCP servers, potentially leading to full system compromise.

The vulnerability impacts mcp-remote versions 0.0.5 through 0.1.15, with a fix implemented in version 0.1.16. mcp-remote serves as a crucial bridge for LLM hosts such as Claude Desktop, Cursor, and Windsurf, enabling them to communicate with remote MCP servers when they natively support only local connections.

The tool has gained significant adoption across the AI community, as evidenced by its inclusion in official documentation from Cloudflare, Auth0, and Hugging Face.

Users become vulnerable when connecting to either hijacked or malicious MCP servers, or when connecting insecurely over HTTP protocols where attackers can perform man-in-the-middle attacks.

The vulnerability affects different operating systems with varying degrees of severity: Windows users face arbitrary OS command execution with full parameter control, while macOS and Linux users experience execution of arbitrary executables with limited parameter control, though further research may reveal paths to complete command execution on these platforms.

Critical mcp-remote Vulnerability

The technical root of CVE-2025-6514 lies in mcp-remote’s OAuth authentication process. When establishing connections with remote MCP servers, the tool requests authorization metadata from the server, including the authorization_endpoint URL that should normally direct users to legitimate authentication pages.

However, malicious servers can respond with specially crafted authorization_endpoint values designed to trigger command injection.

The vulnerability exploits the ‘open’ npm package’s behavior on Windows systems, where it uses PowerShell to execute the provided URL.

The timing of this disclosure is particularly significant as major LLM hosts including Cursor, Windsurf, and Claude Desktop have recently added native remote MCP connection capabilities.

By supplying malicious URLs with specific schemes like “a:$(cmd.exe /c [command])”, attackers can leverage PowerShell subexpression evaluation feature to execute arbitrary commands.

This technique bypasses URL encoding restrictions and achieves full command execution with parameter control, as demonstrated by the research team’s successful creation of files through injected commands.

MCP Ecosystem Expands

The discovery of CVE-2025-6514 coincides with the rapid expansion of the MCP ecosystem, which emerged in November 2024 and has gained immediate traction among AI developers.

Glen Maddern, mcp-remote’s primary maintainer, has promptly addressed the vulnerability with the release of version 0.1.16.

Users can mitigate the risk by updating to the latest version, connecting only to trusted MCP servers, and ensuring secure HTTPS connections.

This development reduces dependency on mcp-remote but highlights the broader security considerations as the MCP ecosystem continues to grow.

Security researchers emphasize that this vulnerability represents the first demonstrated case of full remote code execution in a real-world MCP client scenario, marking a critical milestone in understanding the security implications of connecting to untrusted remote MCP servers.

The incident underscores the importance of maintaining security vigilance as AI integration tools become increasingly sophisticated and widely deployed.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.