cbcvebase.
CVE-2025-6514
published 2025-07-09

CVE-2025-6514: mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL

PriorityP274critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
76.64%
99.5th percentile
mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL

Detection & IOCsextracted from sources · hover to see the quote

othermcp-remote
  • Monitor for OS command injection attempts originating from crafted authorization_endpoint response URLs when mcp-remote connects to untrusted MCP servers.
  • Flag any mcp-remote client connecting to an MCP server that returns a suspicious or unexpected authorization_endpoint URL in its OAuth response, especially URLs containing shell metacharacters or encoded command sequences.
  • Use LLM-based zero-shot detection to inspect MCP tool definitions and server responses for signs of command injection, data exfiltration URLs, or obfuscated encodings.
  • Detect MCP servers that blindly pass user-controlled input to shell execution (e.g., subprocess with shell=True), which is the class of vulnerability exploited in CVE-2025-6514.
  • ·CVE-2025-6514 is only exploitable when mcp-remote connects to an untrusted/malicious MCP server; the attack vector requires the client to initiate a connection to an attacker-controlled server that returns a crafted authorization_endpoint URL.
  • ·The mcp-remote package had over 437k downloads at time of reporting, indicating broad deployment exposure.
  • ·MCP authentication mechanisms (OAuth) were only added in March 2025 and remain optional; many servers lack authentication, increasing the risk of connecting to malicious servers that could exploit CVE-2025-6514.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.