CVE-2025-6514

Name of the Vulnerable Software and Affected Versions mcp-remote versions 0.0.5 through 0.1.15

Description mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers. The issue occurs during the OAuth handshake when the proxy requests metadata from a server; a malicious server can respond with a crafted authorization endpoint URL. Due to improper handling and a lack of sanitization, mcp-remote passes this URL directly into the system shell to open it in a browser, allowing an attacker to execute arbitrary commands on the client machine. On Windows, this can lead to full control over parameters, while on macOS and Linux, it allows the execution of arbitrary files with limited parameter control. The software has been downloaded over 437,000 times.

Recommendations Update to version 0.1.16 or later. Connect only to trusted MCP servers using secure connection methods such as HTTPS.