Overview

The mcp-remote proxy (versions 0.0.5 through 0.1.15) allows full remote code execution on the client OS when connecting to an untrusted MCP server. A malicious server can craft an authorization_endpoint response that triggers OS command injection. CVSS 9.6. First documented instance of full RCE on the client OS from a remote MCP server.

Who Is Affected

Discovered by JFrog Security Research, published July 9, 2025. Affects all users of the mcp-remote npm package (v0.0.5-0.1.15), a widely used proxy for connecting local MCP clients to remote MCP servers.

Where It Exists

The vulnerability is in the mcp-remote npm package's OAuth authorization flow. When the proxy connects to a remote MCP server, it processes the server's authorization_endpoint response without sanitizing it before passing to an OS command.

When It Was Found

Disclosed July 9, 2025 by JFrog. Fixed in mcp-remote v0.1.16. This was the first documented case of a remote MCP server achieving full OS-level code execution on the connecting client.

How It Works

A malicious MCP server returns a crafted authorization_endpoint URL during the OAuth flow. The mcp-remote proxy passes this value unsanitized into an OS command (browser launch). On Windows, this enables full shell command execution; on macOS/Linux, it allows executing arbitrary binaries. The attacker only needs the victim to connect to their MCP server -- no additional interaction required.

Impact

Full remote code execution on the client's operating system with the user's privilege level. Attackers can install malware, steal credentials, access files, establish persistence, and pivot to other systems. The attack is triggered simply by connecting to a malicious MCP server, making it extremely dangerous for users who discover servers from untrusted sources.

References

• JFrog: CVE-2025-6514 Critical mcp-remote RCE