Earlier this week, JFrog disclosed CVE-2025-6514, a essential vulnerability within the mcp-remote undertaking that would permit an attacker to “set off arbitrary OS command execution on the machine working mcp-remote when it initiates a connection to an untrusted MCP server.”
Mcp-remote is a undertaking that enables LLM hosts to speak with distant MCP servers, even when they solely natively help speaking with native MCP servers, JFrog defined.
“Whereas beforehand revealed analysis has demonstrated dangers from MCP shoppers connecting to malicious MCP servers, that is the primary time that full distant code execution is achieved in a real-world situation on the shopper working system when connecting to an untrusted distant MCP server,” Or Peles, vulnerability analysis workforce chief at JFrog, wrote in a weblog put up.
Glen Maddern, mcp-remote’s major maintainer, rapidly fastened the vulnerability, so anybody utilizing mcp-remote ought to replace to 0.1.16.
Based on Peles, the ethical of the story right here is that MCP customers ought to solely hook up with trusted MCP servers and ought to be utilizing safe connection strategies like HTTPS, since related vulnerabilities may very well be discovered sooner or later. “In any other case, vulnerabilities like CVE-2025-6514 are prone to hijack MCP shoppers within the ever-growing MCP ecosystem,” Peles mentioned.
Addressing safety considerations within the broader MCP ecosystem
JFrog’s discovery isn’t the primary vulnerability associated to MCP to come back to gentle. Different current CVEs embody CVE-2025-49596, which detailed MCP Inspector being susceptible to distant code execution (fastened in model 0.14.1); CVE-2025-53355, which detailed a command injection vulnerability in MCP Server Kubernetes (fastened in model 2.5.0); and CVE-2025-53366, which detailed a validation error within the MCP Python SDK that would result in an unhandled exception when processing malformed requests (fastened in model 1.9.4).
Based on the MCP documentation, a number of the most typical assaults in MCP are confused deputy issues, token passthrough, and session hijacking.
Gaetan Ferry, a safety researcher at secrets and techniques administration firm GitGuardian, mentioned “My present feeling in regards to the protocol itself proper now’s that it’s not gatmature sufficient from a safety perspective. So if even the protocol itself is just not mature security-wise, you possibly can’t actually anticipate the ecosystem to be mature security-wise.”
He predicts we’re going to proceed seeing extra CVEs pop up as MCP adoption will increase, and famous that proper now we’re seeing a brand new exploitation situation roughly each two weeks.
He mentioned that there isn’t but an trade consensus on greatest practices for utilizing MCP safely, however some suggestions are beginning to come out. His largest suggestion is to put in servers in distinctive belief boundaries. For instance, one set up could be just for coping with delicate information, and one other may very well be designated for less than working with untrusted information.
Regardless of the shortage of safety in MCP, Ferry believes it’s nonetheless potential to make use of MCP safely if you’re acutely aware about what you might be doing whenever you use it. GitGuardian makes use of MCP internally, but it surely has particular tips that should be adopted and restricts the sorts of options, servers, and information they will use.
The issue, he mentioned, is that MCP is so younger and adoption has been fast, and sometimes whenever you attempt to go quick, safety is just not the very first thing that’s considered. We’re previous the purpose of no return now, with so many already having adopted it, so now we have to transfer ahead with safety high of thoughts.
“It’s going to be a problem for the trade, however that’s one thing we’ve already confronted prior to now each time the trade comes up with a brand new thrilling expertise,” he mentioned. “Microservices and APIs sooner or later have been additionally form of a revolution, and we noticed the identical patterns like outdated assaults beginning to work once more in a brand new atmosphere, and a complete new safety atmosphere needing to be constructed.”
