CVE-2025-6514
published 2025-07-09CVE-2025-6514: mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL
PriorityP274critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
76.64%
99.5th percentile
mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for OS command injection attempts originating from crafted authorization_endpoint response URLs when mcp-remote connects to untrusted MCP servers. ↗
- →Flag any mcp-remote client connecting to an MCP server that returns a suspicious or unexpected authorization_endpoint URL in its OAuth response, especially URLs containing shell metacharacters or encoded command sequences. ↗
- →Use LLM-based zero-shot detection to inspect MCP tool definitions and server responses for signs of command injection, data exfiltration URLs, or obfuscated encodings. ↗
- →Detect MCP servers that blindly pass user-controlled input to shell execution (e.g., subprocess with shell=True), which is the class of vulnerability exploited in CVE-2025-6514. ↗
- ·CVE-2025-6514 is only exploitable when mcp-remote connects to an untrusted/malicious MCP server; the attack vector requires the client to initiate a connection to an attacker-controlled server that returns a crafted authorization_endpoint URL. ↗
- ·The mcp-remote package had over 437k downloads at time of reporting, indicating broad deployment exposure. ↗
- ·MCP authentication mechanisms (OAuth) were only added in March 2025 and remain optional; many servers lack authentication, increasing the risk of connecting to malicious servers that could exploit CVE-2025-6514. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
mcp-remote exposed to OS command injection via untrusted MCP server connections
osv·2025-07-09
CVE-2025-6514 [CRITICAL] mcp-remote exposed to OS command injection via untrusted MCP server connections
mcp-remote exposed to OS command injection via untrusted MCP server connections
mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL
GHSA
mcp-remote exposed to OS command injection via untrusted MCP server connections
ghsa·2025-07-09
CVE-2025-6514 [CRITICAL] CWE-78 mcp-remote exposed to OS command injection via untrusted MCP server connections
mcp-remote exposed to OS command injection via untrusted MCP server connections
mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL
No detection rules found.
No public exploits indexed.
arXiv
MCPSecBench: A Systematic Security Benchmark and Playground for Testing Model Context Protocols
arxiv_fulltext·2026-02-12
MCPSecBench: A Systematic Security Benchmark and Playground for Testing Model Context Protocols
[
: A Systematic Security Benchmark and Playground for Testing Model Context Protocols
corresponding*
icmlauthorlist
Yixuan Yangfr,lu
Cuifeng Gaolu
Daoyuan Wucorresponding,lu
Yufan Chenlu
Yingjiu Liorg
Shuai Wangust
icmlauthorlist
frEurecom
luLingnan University
orgUniversity of Oregon
ustHKUST
Daoyuan [email protected]
MCP, Model Context Protocol, Security, Benchmark
0.3in
]
## Abstract
Large Language Models (LLMs) are increasingly integrated into real-world applications via the Model Context Protocol (MCP), a universal open standard for connecting AI agents with data sources and external tools. While MCP enhances the capabilities of LLM-based agents, it also introduces new security risks and significantly expands their attack surface. In this paper, we present the first forma
arXiv
Securing AI Agents in Cyber-Physical Systems: A Survey of Environmental Interactions, Deepfake Threats, and Defenses
arxiv_fulltext·2026-01-28
Securing AI Agents in Cyber-Physical Systems: A Survey of Environmental Interactions, Deepfake Threats, and Defenses
Securing AI Agents in Cyber-Physical Systems: A Survey of Environmental Interactions, Deepfake Threats, and Defenses This manuscript is a preprint intended to rapidly disseminate a survey of security challenges and design principles for AI agents operating in cyber-physical systems. The authors anticipate submitting a substantially revised and polished version to a peer-reviewed journal.
Mohsen Hatami, Van Tuan Pham, Hozefa Lakadawala, Yu Chen^*
Dept. of Electrical & Computer Engineering, Binghamton University, Binghamton, NY 13902, USA
\mhatami1, tpham15, hlakada1, ychen\@binghamton.edu
Journal of \ Class Files, Vol. xx, No. x, January 2026
Shell et al.: A Sample Article Using IEEEtran.cls for IEEE Journals
## Abstract
The increasing integration of AI agents into cyber-physical syst
arXiv
Securing the Model Context Protocol (MCP): Risks, Controls, and Governance
arxiv_fulltext·2025-11-25
Securing the Model Context Protocol (MCP): Risks, Controls, and Governance
Securing the Model Context Protocol (MCP):
Risks, Controls, and Governance
Herman Errico
Vanta
Email: [email protected]
Jiquan Ngiam
MintMCP
Email: [email protected]
Shanita Sojan
Darktrace
Email: [email protected]
## Abstract
The Model Context Protocol (MCP) replaces static, developer-controlled API integrations with more dynamic, user-driven agent systems, which also introduces new security risks. As MCP adoption grows across community servers and major platforms, organizations encounter threats that existing AI governance frameworks (such as NIST AI RMF and ISO/IEC 42001) do not yet cover in detail. We focus on three types of adversaries that take advantage of MCP’s flexibility: content-injection attackers that embed malicious instructions into otherwise legitim
Elastic
MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents — Elastic Security Labs
blogs_elastic·2025-09-19
MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents — Elastic Security Labs
19 September 2025•Carolina Beretta•Gus Carlock•Andrew Pease
# MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents
An in-depth exploration of MCP tool exploitation techniques and security recommendations for safeguarding AI agents.
14 min readGenerative AI, Enablement
## Preamble
The Model Context Protocol (MCP) is a recently proposed open standard for connecting large language models (LLMs) to external tools and data sources in a consistent and standardized way. MCP tools are gaining rapid traction as the backbone of modern AI agents, offering a unified, reusable protocol to connect LLMs with tools and services. Securing these tools remains a challenge because of the multiple attack surfaces that actors can exploit. Given the increase in use of autonomous agent
2025-07-09
Published