Earlier this week, JFrog disclosed CVE-2025-6514, a essential vulnerability within the mcp-remote challenge that would enable an attacker to “set off arbitrary OS command execution on the machine operating mcp-remote when it initiates a connection to an untrusted MCP server.”
Mcp-remote is a challenge that enables LLM hosts to speak with distant MCP servers, even when they solely natively help speaking with native MCP servers, JFrog defined.
“Whereas beforehand printed analysis has demonstrated dangers from MCP shoppers connecting to malicious MCP servers, that is the primary time that full distant code execution is achieved in a real-world state of affairs on the consumer working system when connecting to an untrusted distant MCP server,” Or Peles, vulnerability analysis staff chief at JFrog, wrote in a weblog put up.
Glen Maddern, mcp-remote’s main maintainer, rapidly fastened the vulnerability, so anybody utilizing mcp-remote ought to replace to 0.1.16.
In response to Peles, the ethical of the story right here is that MCP customers ought to solely hook up with trusted MCP servers and ought to be utilizing safe connection strategies like HTTPS, since related vulnerabilities might be discovered sooner or later. “In any other case, vulnerabilities like CVE-2025-6514 are more likely to hijack MCP shoppers within the ever-growing MCP ecosystem,” Peles mentioned.
Addressing safety considerations within the broader MCP ecosystem
JFrog’s discovery isn’t the primary vulnerability associated to MCP to come back to gentle. Different latest CVEs embody CVE-2025-49596, which detailed MCP Inspector being susceptible to distant code execution (fastened in model 0.14.1); CVE-2025-53355, which detailed a command injection vulnerability in MCP Server Kubernetes (fastened in model 2.5.0); and CVE-2025-53366, which detailed a validation error within the MCP Python SDK that would result in an unhandled exception when processing malformed requests (fastened in model 1.9.4).
In response to the MCP documentation, a few of the commonest assaults in MCP are confused deputy issues, token passthrough, and session hijacking.
Gaetan Ferry, a safety researcher at secrets and techniques administration firm GitGuardian, mentioned “My present feeling concerning the protocol itself proper now’s that it’s not gatmature sufficient from a safety perspective. So if even the protocol itself is just not mature security-wise, you’ll be able to’t actually anticipate the ecosystem to be mature security-wise.”
He predicts we’re going to proceed seeing extra CVEs pop up as MCP adoption will increase, and famous that proper now we’re seeing a brand new exploitation state of affairs roughly each two weeks.
He mentioned that there isn’t but an business consensus on greatest practices for utilizing MCP safely, however some suggestions are beginning to come out. His greatest advice is to put in servers in distinctive belief boundaries. For instance, one set up can be just for coping with delicate knowledge, and one other might be designated for less than working with untrusted knowledge.
Regardless of the dearth of safety in MCP, Ferry believes it’s nonetheless potential to make use of MCP safely if you’re acutely aware about what you’re doing while you use it. GitGuardian makes use of MCP internally, but it surely has particular tips that have to be adopted and restricts the sorts of options, servers, and knowledge they’ll use.
The issue, he mentioned, is that MCP is so younger and adoption has been fast, and infrequently while you attempt to go quick, safety is just not the very first thing that’s thought of. We’re previous the purpose of no return now, with so many already having adopted it, so now we have to transfer ahead with safety prime of thoughts.
“It’s going to be a problem for the business, however that’s one thing we’ve already confronted up to now each time the business comes up with a brand new thrilling expertise,” he mentioned. “Microservices and APIs in some unspecified time in the future had been additionally form of a revolution, and we noticed the identical patterns like outdated assaults beginning to work once more in a brand new setting, and an entire new safety setting needing to be constructed.”
