Critical mcp-remote flaw could enable RCE when connecting AI clients

A critical remote code execution (RCE) flaw in the open-source mcp-remote tool was revealed Wednesday by JFrog researchers.

The vulnerability, tracked as CVE-2025-6514, has a CVSS score of 9.6 and could potentially lead to full system compromise when connecting an AI client to a malicious remote Model Context Protocol (MCP) server, or via a man-in-the-middle attack by a local attacker, according to JFrog.

The mcp-remote project enables AI clients to connect to remote MCP servers, even when the client only supports local MCP connection.

This allows AI and large language model (LLM) tools to access resources outside of the user’s local environment, such as external cloud storage and databases.

The mcp-remote tool is widely used for this purpose and is mentioned in Cloudflare documentation as a way to connect the Claude Desktop client to a remote MCP server.   

The flaw discovered by JFrog and patched promptly last month by mcp-remote maintainer Glen Maddern would have allowed an attacker to send arbitrary commands to the victim’s machine via a crafted response during the authentication/authorization process.

Ordinarily, when connecting to a remote MCP server, the open() function would be used to open a browser page for the user to log in. In the proof-of-concept (PoC) attack, the URL for this browser window is altered to include malicious commands that are executed by the open() function.

In a simple demonstration of this attack, JFrog replaced the log in URL, in the “authorization_endpoint” field, with the file path for the Windows Calculator app, forcibly opening the app.

The attack could be further expanded on Windows machines to include arguments by abusing the PowerShell subexpression operator $() and using an unrecognized URI scheme to prevent the command from being passed through the URL() constructor function.  

This allows the attacker to inject a command with arguments as a string to be evaluated, without spaces being encoded to %20 by the URL() constructor, achieving full command execution.

The attack is more limited on macOS and Linux machines, where arbitrary executables can be run with limited parameter control, the JFrog researchers noted.

CVE-2025-6514 affects mcp-remote versions 0.0.5 to 0.1.15 and was patched in version 0.1.16. The patch adds URL sanitization to prevent the execution of arbitrary commands sent from the MCP server to the client machine.

While using the latest version of mcp-remote is the best way to prevent an attack, users should also ensure they are only connecting to trusted remote MCP servers when utilizing AI clients.

MCP servers gaining in popularity to enable AI tools

JFrog also noted that, while many AI clients only support local MCP server connection, some popular hosts such as Cursor, Windsurf and Claude (paid versions only) have recently begun supporting remote MCP connection, negating the need to use a proxy like mcp-remote.

As MCP servers become an increasingly popular way to enable AI tools to access a wider array of tools and resources, vulnerabilities in these implementations raise concerns about new attack vectors targeting AI uses.

Last month, Backslash Security found that hundreds of internet-connected MCP servers were affected by a vulnerability known as “NeighborJack,” that allows anyone within the same local network to access a server without authentication.

Researchers have also identified ways that LLMs can be manipulated with prompt injections to leak data from the MCPs they are connected to, such as a PoC exploit targeting Atlassian’s MCP and Jira Service Management that was developed by Cato Networks.