MCP vulnerabilities stem from insecure defaults, weak trust boundaries, and poor validation: urgent action is needed to prevent further critical exploits.
Just days after a critical security flaw (CVSS 9.4, CVE-2025-49596) was found in Anthropic’s Model Context Protocol (MCP) Inspector tool that affects the security of AI development environments, a new and even more severe vulnerability has been disclosed with the mcp-remote tool, a widely used proxy that allows MCP clients to connect to remote servers.
The flaw, tracked as CVE-2025-6514 and carrying a CVSS score of 9.6, enables attackers to execute arbitrary operating system commands on affected machines. If a vulnerable client connects to an untrusted or malicious MCP server, the attacker can achieve complete system compromise.
The mcp-remote tool has gained traction in the AI and large language model (LLM) community, enabling applications to interact with remote servers over HTTP, even if originally designed for local-only communication.
The vulnerability affects mcp-remote versions 0.0.5 through 0.1.15 and is triggered when insecure protocols or untrusted servers are used. On Windows, attackers can execute shell commands with full parameter control, while on macOS and Linux, arbitrary binaries can be run, though with more limited control. Researchers note that further exploitation on these platforms may be possible with additional investigation.
Users are strongly advised to upgrade to mcp-remote version 0.1.16 or later, avoid untrusted or insecure MCP servers, and always use encrypted protocols such as HTTPS for remote MCP transport.
The vulnerability was discovered by the JFrog Security Research team., whose lead researcher, Or Peles, noted: “While remote MCP servers are highly effective tools for expanding AI capabilities, MCP users need to be mindful of only connecting to trusted MCP servers using secure connection methods such as HTTPS. Otherwise, vulnerabilities like CVE-2025-6514 are likely to hijack MCP clients in the ever-growing MCP ecosystem.”
Security experts emphasize that this is the first documented instance of real-world remote code execution against a client device via a malicious MCP server, moving the threat from theoretical to practical. The incident underscores the urgent need for robust security practices in the rapidly evolving MCP and AI tooling landscape. The two recent critical vulnerabilities in the MCP protocol share similarities in root causes: insufficient validation, lack of secure defaults, and inadequate isolation —suggesting that other MCP-linked tools may harbor similar flaws. Unless the ecosystem adopts stronger defaults and best practices, more similar critical vulnerabilities are likely to emerge.
suggesting that other MCP-linked tools may harbor similar flaws. Unless the ecosystem adopts stronger defaults and best practices, more similar critical vulnerabilities are likely to emerge.
