Cyber Resilience

CVE-2025-6514

CriticalRCE

Published: 09 July 2025

Published
09 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.1217 94.0th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6514 is a critical-severity OS Command Injection (CWE-78) vulnerability in Jfrog (inferred from references). Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-6514 is an OS command injection vulnerability (CWE-78) in mcp-remote that arises when the client processes a crafted authorization_endpoint response URL returned by an untrusted MCP server. The flaw received a CVSS 3.1 score of 9.6, reflecting network attack vector, low complexity, no required privileges, and high impact across confidentiality, integrity, and availability with changed scope.

An unauthenticated remote attacker can exploit the issue by hosting a malicious MCP server that supplies malicious input in the authorization_endpoint field; when a user connects to that server, the injected commands execute on the client system, enabling full remote code execution.

A patch addressing the command-injection vector was merged in commit 607b226a356cb61a239ffaba2fb3db1c9dea4bac of the mcp-remote repository, and JFrog has published detailed analysis and mitigation guidance.

The EPSS score rose to a peak of 0.1606 before settling at the current value of 0.1217, indicating measurable post-disclosure exploitation interest.

EU & UK References

Vulnerability details

mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS command injection directly enables arbitrary command execution (T1059) on the client host after user-initiated connection to a malicious server (T1203 Exploitation for Client Execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25546Shared CWE-78
CVE-2025-66401Shared CWE-78
CVE-2026-26029Shared CWE-78
CVE-2026-26331Shared CWE-78
CVE-2025-65480Shared CWE-78
CVE-2025-54074Shared CWE-78
CVE-2024-14010Shared CWE-78
CVE-2026-6942Shared CWE-78
CVE-2025-64109Shared CWE-78
CVE-2026-30635Shared CWE-78

Affected Assets

Jfrog
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of untrusted inputs like the crafted authorization_endpoint URL to prevent OS command injection.

prevent

SI-2 mandates timely flaw remediation, including applying the specific patch for CVE-2025-6514 to eliminate the command injection vulnerability.

prevent

AC-20 establishes conditions and approvals for using external systems, mitigating risks from connecting mcp-remote to untrusted MCP servers.

References