Earlier this week, JFrog disclosed CVE-2025-6514, a important vulnerability within the mcp-remote challenge that would permit an attacker to “set off arbitrary OS command execution on the machine operating mcp-remote when it initiates a connection to an untrusted MCP server.”
Mcp-remote is a challenge that permits LLM hosts to speak with distant MCP servers, even when they solely natively assist speaking with native MCP servers, JFrog defined.
“Whereas beforehand printed analysis has demonstrated dangers from MCP purchasers connecting to malicious MCP servers, that is the primary time that full distant code execution is achieved in a real-world situation on the consumer working system when connecting to an untrusted distant MCP server,” Or Peles, vulnerability analysis staff chief at JFrog, wrote in a weblog publish.
Glen Maddern, mcp-remote’s major maintainer, rapidly mounted the vulnerability, so anybody utilizing mcp-remote ought to replace to 0.1.16.
In response to Peles, the ethical of the story right here is that MCP customers ought to solely hook up with trusted MCP servers and must be utilizing safe connection strategies like HTTPS, since comparable vulnerabilities could possibly be discovered sooner or later. “In any other case, vulnerabilities like CVE-2025-6514 are more likely to hijack MCP purchasers within the ever-growing MCP ecosystem,” Peles stated.
Addressing safety issues within the broader MCP ecosystem
JFrog’s discovery isn’t the primary vulnerability associated to MCP to come back to mild. Different latest CVEs embrace CVE-2025-49596, which detailed MCP Inspector being weak to distant code execution (mounted in model 0.14.1); CVE-2025-53355, which detailed a command injection vulnerability in MCP Server Kubernetes (mounted in model 2.5.0); and CVE-2025-53366, which detailed a validation error within the MCP Python SDK that would result in an unhandled exception when processing malformed requests (mounted in model 1.9.4).
In response to the MCP documentation, a number of the most typical assaults in MCP are confused deputy issues, token passthrough, and session hijacking.
Gaetan Ferry, a safety researcher at secrets and techniques administration firm GitGuardian, stated “My present feeling in regards to the protocol itself proper now’s that it’s not gatmature sufficient from a safety perspective. So if even the protocol itself isn’t mature security-wise, you may’t actually anticipate the ecosystem to be mature security-wise.”
He predicts we’re going to proceed seeing extra CVEs pop up as MCP adoption will increase, and famous that proper now we’re seeing a brand new exploitation situation roughly each two weeks.
He stated that there isn’t but an business consensus on greatest practices for utilizing MCP safely, however some suggestions are beginning to come out. His largest advice is to put in servers in distinctive belief boundaries. For instance, one set up can be just for coping with delicate knowledge, and one other could possibly be designated for less than working with untrusted knowledge.
Regardless of the dearth of safety in MCP, Ferry believes it’s nonetheless potential to make use of MCP safely in case you are acutely aware about what you might be doing once you use it. GitGuardian makes use of MCP internally, however it has particular tips that have to be adopted and restricts the sorts of options, servers, and knowledge they will use.
The issue, he stated, is that MCP is so younger and adoption has been fast, and infrequently once you attempt to go quick, safety isn’t the very first thing that’s thought of. We’re previous the purpose of no return now, with so many already having adopted it, so now we have to transfer ahead with safety prime of thoughts.
“It’s going to be a problem for the business, however that’s one thing we’ve already confronted prior to now each time the business comes up with a brand new thrilling expertise,” he stated. “Microservices and APIs sooner or later had been additionally type of a revolution, and we noticed the identical patterns like outdated assaults beginning to work once more in a brand new setting, and a complete new safety setting needing to be constructed.”