GHSA-6xpm-ggf7-wc3p

Опубликовано: 09 июл. 2025

Источник: github

Github: Прошло ревью

CVSS3: 9.6

Описание

mcp-remote exposed to OS command injection via untrusted MCP server connections

mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2025-6514
https://github.com/geelen/mcp-remote/commit/607b226a356cb61a239ffaba2fb3db1c9dea4bac
https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability
https://research.jfrog.com/vulnerabilities/mcp-remote-command-injection-rce-jfsa-2025-001290844

Пакеты

Наименование

mcp-remote

npm

Затронутые версииВерсия исправления

>= 0.0.5, < 0.1.16

0.1.16

EPSS

Процентиль: 30%

0.00111

Низкий

9.6 Critical

CVSS3

CVE ID

CVE-2025-6514

Дефекты

CWE-78

Связанные уязвимости

CVE-2025-6514

CVSS3: 9.6

nvd

7 дней назад

mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL

EPSS

Процентиль: 30%

0.00111

Низкий

9.6 Critical

CVSS3

CVE ID

CVE-2025-6514

Дефекты

CWE-78