Earlier this week, JFrog disclosed CVE-2025-6514, a essential vulnerability within the mcp-remote challenge that would permit an attacker to “set off arbitrary OS command execution on the machine operating mcp-remote when it initiates a connection to an untrusted MCP server.”
Mcp-remote is a challenge that permits LLM hosts to speak with distant MCP servers, even when they solely natively help speaking with native MCP servers, JFrog defined.
“Whereas beforehand revealed analysis has demonstrated dangers from MCP purchasers connecting to malicious MCP servers, that is the primary time that full distant code execution is achieved in a real-world state of affairs on the consumer working system when connecting to an untrusted distant MCP server,” Or Peles, vulnerability analysis staff chief at JFrog, wrote in a weblog put up.
Glen Maddern, mcp-remote’s major maintainer, rapidly fastened the vulnerability, so anybody utilizing mcp-remote ought to replace to 0.1.16.
Based on Peles, the ethical of the story right here is that MCP customers ought to solely connect with trusted MCP servers and needs to be utilizing safe connection strategies like HTTPS, since related vulnerabilities may very well be discovered sooner or later. “In any other case, vulnerabilities like CVE-2025-6514 are more likely to hijack MCP purchasers within the ever-growing MCP ecosystem,” Peles mentioned.
Addressing safety issues within the broader MCP ecosystem
JFrog’s discovery isn’t the primary vulnerability associated to MCP to return to gentle. Different current CVEs embrace CVE-2025-49596, which detailed MCP Inspector being weak to distant code execution (fastened in model 0.14.1); CVE-2025-53355, which detailed a command injection vulnerability in MCP Server Kubernetes (fastened in model 2.5.0); and CVE-2025-53366, which detailed a validation error within the MCP Python SDK that would result in an unhandled exception when processing malformed requests (fastened in model 1.9.4).
Based on the MCP documentation, a few of the most typical assaults in MCP are confused deputy issues, token passthrough, and session hijacking.
Gaetan Ferry, a safety researcher at secrets and techniques administration firm GitGuardian, mentioned “My present feeling concerning the protocol itself proper now’s that it’s not gatmature sufficient from a safety perspective. So if even the protocol itself just isn’t mature security-wise, you may’t actually count on the ecosystem to be mature security-wise.”
He predicts we’re going to proceed seeing extra CVEs pop up as MCP adoption will increase, and famous that proper now we’re seeing a brand new exploitation state of affairs roughly each two weeks.
He mentioned that there isn’t but an business consensus on finest practices for utilizing MCP safely, however some suggestions are beginning to come out. His greatest suggestion is to put in servers in distinctive belief boundaries. For instance, one set up can be just for coping with delicate knowledge, and one other may very well be designated for less than working with untrusted knowledge.
Regardless of the dearth of safety in MCP, Ferry believes it’s nonetheless potential to make use of MCP safely in case you are acutely aware about what you might be doing if you use it. GitGuardian makes use of MCP internally, nevertheless it has particular tips that have to be adopted and restricts the sorts of options, servers, and knowledge they’ll use.
The issue, he mentioned, is that MCP is so younger and adoption has been fast, and sometimes if you attempt to go quick, safety just isn’t the very first thing that’s considered. We’re previous the purpose of no return now, with so many already having adopted it, so now we have to transfer ahead with safety prime of thoughts.
“It’s going to be a problem for the business, however that’s one thing we’ve already confronted up to now each time the business comes up with a brand new thrilling expertise,” he mentioned. “Microservices and APIs in some unspecified time in the future had been additionally type of a revolution, and we noticed the identical patterns like previous assaults beginning to work once more in a brand new setting, and an entire new safety setting needing to be constructed.”