Cybersecurity researchers have discovered a critical vulnerability in open source MCP remote projects that could result in the execution of any operating system (OS) commands.
The vulnerability tracked as CVE-2025-6514 has a CVSS score of 9.6 out of 10.0.
“The vulnerability poses a significant risk to the user when an attacker initiates a connection to an untrusted MCP server, which can trigger the execution of arbitrary OS commands on the machine running the MCP remote.
MCP-Remote is a tool that emerged following the release of Model Context Protocol (MCP) Anthropic. It is an open source framework that standardizes the way large-scale language model (LLM) applications integrate and share data with external data sources and services.
Rather than running locally on the same machine as the LLM application, it acts as a local proxy that allows MCP clients such as Claude desktops to communicate with the remote MCP server. The NPM package has been downloaded over 437,000 times so far.
The vulnerability affects MCP-Remote versions from 0.0.5 to 0.1.15. Addressed in version 0.1.16, released on June 17, 2025. Anyone using an MCP remote that uses the affected version to connect to an untrusted MCP server is at risk.
“While previously published studies demonstrate the risks from MCP clients connecting to malicious MCP servers, this is the first time that full remote code execution is achieved in a real-world scenario of a client operating system when connecting to a remote MCP server that is unreliable,” Peles said.
The drawback concerns how a malicious MCP server run by a threat actor can embed commands when handled by an MCP remote at the initial communication approval stage, executed on the underlying operating system.
This issue leads to running any OS commands on Windows with full parameter control, but running any executable file with limited parameter control on MacOS and Linux systems.
To mitigate the risk posed by the flaw, users are advised to update their libraries to the latest version and connect only to trusted MCP servers via HTTPS.
“Remote MCP servers are a very effective tool to expand AI capabilities in a managed environment, promote rapid code repetition, and ensure more reliable delivery of software, but MCP users should be careful to connect to trusted MCP servers using secure connection methods such as HTTPS.
“Otherwise, vulnerabilities like CVE-2025-6514 could hijack MCP clients in the ever-growing MCP ecosystem.”
This disclosure comes after OligoSecurity detailed a critical vulnerability in the MCP Inspector Tool (CVE-2025-49596, CVSS score: 9.4).
Earlier this month, two other high-strength security flaws were revealed in the human file system MCP server.
Below is a list of two defects for each Cymulate –
CVE-2025-53110 (CVSS score: 7.3) – Directory containment bypass that allows access, read, or write outside of authorized directories using authorized directory prefixes in other directories (e.g. “/private/private/tmp/aopterdir_sentitive_credentials”) Escalation CVE-2025-53109 (CVSS score: 8.4) – Symlinks (aka shimlinks) caused by insufficient error handling that can be used to point to file systems using file systems files from within authorized directories allow attackers to read or modify important files (eg, eg “/sudoers”/sudoer sulld execution doped execution doping exting exting exting exting exting Exting Exting Exting Exting Exting Exting Exting Exting Exting Exting Exting Exting Exting Exting Exting Exting Persistence Techniques
Both drawbacks affect all filesystem MCP server versions prior to 0.6.3 and 2025.7.1, including related fixes.
“This vulnerability is a serious violation of the File System MCP Server Security Model,” security researcher Elad Beber said of CVE-2025-53110. “Attackers can gain unauthorized access by listing, reading or writing to a directory outside of the permitted range, potentially exposing sensitive files, such as credentials and configuration.”
“In addition, in setups where the server runs as a privileged user, this flaw can lead to privilege escalation, allowing attackers to manipulate critical system files and provide greater control over the host system.”
Source link
