CVE-2025-6514 mcp-remote — Exploit & Vulnerability Details CRITICAL

CVE-2025-6514

CRITICAL CVSS 3.1: 9.6 EPSS 1.47%

Parameter	Value
CVSS	9.6 (CRITICAL)
Type	CWE-78 (OS Command Injection)
Vendor	mcp-remote
Public PoC	No

mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

None

No privileges needed

User Interaction

Required

User action required

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-78 OS Command Injection

References 3

https://github.com/geelen/mcp-remote/commit/607b226a356cb61a239ffaba2fb3db1c9de…

reefs@jfrog.com

https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability

reefs@jfrog.com

https://research.jfrog.com/vulnerabilities/mcp-remote-command-injection-rce-jfs…

reefs@jfrog.com

Share Post Share Share Share

Menu

CVE-2025-6514

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 3

CVE Details

Editor's Choice

Menu

CVE-2025-6514

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 3

CVE Details

Editor's Choice

Stay informed on cybersecurity