Cybersecurity experts have identified a serious vulnerability in the open-source mcp-remote project, which poses a significant risk to users by enabling attackers to execute arbitrary operating system commands. This flaw, designated as CVE-2025-6514, has been rated with a CVSS score of 9.6 out of 10.0, indicating its critical nature.
According to Or Peles, JFrog Vulnerability Research Team Leader, the vulnerability allows the execution of arbitrary commands on systems running mcp-remote when they connect to untrusted MCP servers. “A full system compromise could result from this weakness,” Peles elaborated, emphasizing the gravity of this security issue. The affected versions of mcp-remote range from 0.0.5 to 0.1.15, with a patched version 0.1.16 released on June 17, 2025.
Mcp-remote acts as a local proxy, designed to facilitate communication between Model Context Protocol (MCP) clients, such as Claude Desktop, and remote MCP servers. More than 437,000 downloads of the mcp-remote package reveal its widespread use. Users of the affected versions are strongly advised to update to the latest library and only connect to trusted MCP servers using secure methods like HTTPS to mitigate the risk of exploitation.
This identification of CVE-2025-6514 is not an isolated incident; it follows the recent disclosure of another critical vulnerability in the MCP Inspector tool, CVE-2025-49596, which also has the potential to allow remote code execution. Challenges surrounding MCP are growing, as two additional high-severity vulnerabilities were recently uncovered in Anthropic’s Filesystem MCP Server, which may enable attackers unauthorized control over host systems.