**Name of the Vulnerable Software and Affected Versions:**

mcp-remote versions 0.0.5 through 0.1.15

**Description:**

mcp-remote is susceptible to OS command injection when connecting to untrusted MCP servers due to crafted input from the `authorization endpoint` response URL. This vulnerability allows for remote code execution, potentially leading to full system compromise. Over 437,000 downloads have been impacted. This marks the first documented case of remote code execution in MCP communications. The vulnerability allows an attacker to execute arbitrary OS commands on a system running mcp-remote when connecting to a malicious MCP server. In Windows environments, this can lead to full control over the operating system, while in macOS and Linux, it allows for the execution of arbitrary executables with limited control.

**Recommendations:**

Update mcp-remote to version 0.1.16.

Connect only to trusted MCP servers.

Use secure connections, such as HTTPS, when connecting to MCP servers.