CVE-2025-6514

CRITICAL

mcp-remote >=0.0.5 <0.1.16 - OS Command Injection via Authorization Endpoint Response URL

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-6514. PoCs published by Cyberency, darshjme, ChaseHCS.

AI-analyzed exploit summary The repository contains a functional TypeScript-based proxy tool (`mcp-remote`) designed to bridge local MCP clients with remote MCP servers, leveraging OAuth authentication. It includes detailed configuration options for headers, transport strategies, and debugging, indicating a mature and operational proof-of-concept.

Description

mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL

Exploits (3)

nomisec WORKING POC 7 stars

by Cyberency · poc

https://github.com/Cyberency/CVE-2025-6514

View Code ZIP pw:eip

The repository contains a functional TypeScript-based proxy tool (`mcp-remote`) designed to bridge local MCP clients with remote MCP servers, leveraging OAuth authentication. It includes detailed configuration options for headers, transport strategies, and debugging, indicating a mature and operational proof-of-concept.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: MCP (Model Context Protocol) clients and servers

Auth required

Prerequisites: MCP client configured to use the proxy · Remote MCP server with OAuth support · Network connectivity to the remote server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 18, 2026 Full analysis →

nomisec SCANNER

by darshjme · poc

https://github.com/darshjme/mcp-security-audit

View Code ZIP pw:eip

This repository contains a security audit tool for Model Context Protocol (MCP) servers, focusing on detecting tool poisoning, prompt injection, and input validation issues. It scans for patterns associated with CVE-2025-6514 but does not include functional exploit code.

Classification

Scanner 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Model Context Protocol (MCP) server

No auth needed

Prerequisites: access to MCP server endpoints · server source code for static analysis

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 09, 2026 Full analysis →

nomisec STUB

by ChaseHCS · poc

https://github.com/ChaseHCS/CVE-2025-6514

View Code ZIP pw:eip

This repository is a placeholder for CVE-2025-6514, documenting steps to achieve arbitrary code execution in MCP-Remote. It lacks actual exploit code and is a to-do list for future development.

Classification

Stub 90%

Attack Type

Rce

Complexity

Theoretical

Reliability

Theoretical

Target: MCP-Remote 0.15

No auth needed

Prerequisites: Vast.ai 4090 instance setup · LLama or Gemma model locally configured · MCP-Remote 0.15 environment

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources third-party-advisory

https://research.jfrog.com/vulnerabilities/mcp-remote-command-injection-rce-jfsa-2025-001290844/

Patch patch

https://github.com/geelen/mcp-remote/commit/607b226a356cb61a239ffaba2fb3db1c9dea4bac

View Patch ZIP pw:eip

Various Sources technical-description

https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability

Scores

CVSS v3 9.6

EPSS 0.1217

EPSS Percentile 94.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

npm/mcp-remote 0.0.5 - 0.1.16npm

Published Jul 09, 2025

Tracked Since Feb 18, 2026