CVE-2025-6514
Published: 09 July 2025
Summary
CVE-2025-6514 is a critical-severity OS Command Injection (CWE-78) vulnerability in Jfrog (inferred from references). Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-6514 is an OS command injection vulnerability (CWE-78) in mcp-remote that arises when the client processes a crafted authorization_endpoint response URL returned by an untrusted MCP server. The flaw received a CVSS 3.1 score of 9.6, reflecting network attack vector, low complexity, no required privileges, and high impact across confidentiality, integrity, and availability with changed scope.
An unauthenticated remote attacker can exploit the issue by hosting a malicious MCP server that supplies malicious input in the authorization_endpoint field; when a user connects to that server, the injected commands execute on the client system, enabling full remote code execution.
A patch addressing the command-injection vector was merged in commit 607b226a356cb61a239ffaba2fb3db1c9dea4bac of the mcp-remote repository, and JFrog has published detailed analysis and mitigation guidance.
The EPSS score rose to a peak of 0.1606 before settling at the current value of 0.1217, indicating measurable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20823
Vulnerability details
mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection directly enables arbitrary command execution (T1059) on the client host after user-initiated connection to a malicious server (T1203 Exploitation for Client Execution).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of untrusted inputs like the crafted authorization_endpoint URL to prevent OS command injection.
SI-2 mandates timely flaw remediation, including applying the specific patch for CVE-2025-6514 to eliminate the command injection vulnerability.
AC-20 establishes conditions and approvals for using external systems, mitigating risks from connecting mcp-remote to untrusted MCP servers.