Home > Vulnerability Database > CVE-2025-6514

Mend.io Vulnerability Database

CVE-2025-6514

Good to know:

Date: July 9, 2025

mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL

Severity Score

9.6

Related Resources (7)

Url: https://research.jfrog.com/vulnerabilities/mcp-remote-command-injection-rce-jfsa-2025-001290844/

Url: https://github.com/geelen/mcp-remote/commit/607b226a356cb61a239ffaba2fb3db1c9dea4bac

Url: https://github.com/geelen/mcp-remote

Url: https://research.jfrog.com/vulnerabilities/mcp-remote-command-injection-rce-jfsa-2025-001290844

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-6514

Url: https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability

Url: https://www.mend.io/vulnerability-database/CVE-2025-6514

Severity Score

9.6

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Top Fix

Upgrade Version

Upgrade to version mcp-remote - 0.1.16;https://github.com/geelen/mcp-remote.git - v0.1.16

Learn More

CVSS v3.1

Base Score:	9.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-6514

Good to know:

Date: July 9, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?