Supply ChainCritical

mcp-remote critical RCE (CVE-2025-6514)

July 2025  ·  mcp-remote npm proxy

What happened

When an MCP client using mcp-remote connects to a malicious server, the server can return a crafted OAuth authorization_endpoint URL that triggers OS command injection on the client (CVSS 9.6). The package had over 437,000 downloads, making it a broad supply-chain exposure.

Root cause

The authorization_endpoint value was passed to an open() call without sanitization, enabling command injection during the OAuth flow.

Fix / outcome

Fixed in mcp-remote 0.1.16. Users were advised to upgrade and avoid untrusted MCP servers and non-HTTPS transports.

Sources

JFrog research

Learn this attack class

This incident is an example of Supply Chain. Read the guide, then try it hands-on in the Academy.

Read the guide →

← Back to the Incident Database