8 matches found
Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads
Cybersecurity researchers have discovered a critical vulnerability in the open-source mcp-remote project that could result in the execution of arbitrary operating system OS commands. The vulnerability, tracked as CVE-2025-6514 , carries a CVSS score of 9.6 out of 10.0. "The vulnerability allows...
@wix/mcp-remote (=0.0.6) potentially affected by CVE-2025-6514 via mcp-remote (=0.1.13)
mcp-remote NPM version =0.1.13 is affected by a known vulnerability. The following packages have a transitive dependency on mcp-remote and may be impacted: - @wix/mcp-remote =0.0.6 Source cves: CVE-2025-6514 Source advisory: OSV:GHSA-6XPM-GGF7-WC3P...
mcp-remote exposed to OS command injection via untrusted MCP server connections
mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorizationendpoint response URL...
CVE-2025-6514
mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorizationendpoint response URL...
CVE-2025-6514 OS command injection in mcp-remote when connecting to untrusted MCP servers
mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorizationendpoint response URL...
CVE-2025-6514
CVE-2025-6514 affects the mcp-remote npm package (versions 0.0.5–0.1.15); it was fixed in 0.1.16 (released 2025-06-17). The vulnerability causes OS command injection when mcp-remote connects to untrusted MCP servers via crafted input in the authorization_endpoint URL, enabling remote code executi...
CVE-2025-6514 OS command injection in mcp-remote when connecting to untrusted MCP servers
mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorizationendpoint response URL...
PT-2025-28894
Name of the Vulnerable Software and Affected Versions mcp-remote versions 0.0.5 through 0.1.15 Description mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers. The issue occurs during the OAuth handshake when the proxy requests metadata from a server; a maliciou...