An extremely severe security vulnerability is being disclosed in the very popular mcp-remote npm library. This has caused developers and users alike to raise major alarm bells. The vulnerabilities, mainly known as CVE-2025-53110, CVE-2025-6514 and CVE-2025-49596 have a large impact including possible remote code execution. More than 437,000 unique users have downloaded the app already! It’s possible that many of them still don’t understand the risks these vulnerabilities create.
Currently the CVE-2025-53110 vulnerability has a CVSS score of 7.3, reflecting its critical nature. The CVE-2023-38258 directory containment bypass vulnerability lets an attacker gain access to a read/write arbitrary file outside a designated directory. Using the allowed directory prefix, attackers can take advantage of this vulnerability. This access can lure them to other directories, granting code execution without authorization via persistence tactics such as Launch Agents or cron jobs.
Details of the Vulnerabilities
To compound matters, the CVE-2025-6514 vulnerability is even more egregious, with a high CVSS score of 9.6 out of 10. Attackers can take advantage of this vulnerability to inject potentially malicious commands into the proxy instance. This issue presents a serious vulnerability to all users of Filesystem MCP Server versions prior to 0.6.3 and 2025.7.1. Exploits can happen via NeighborJacking or cross-site attacks making the security threat even more murky for victims.
Another major vulnerability, CVE-2025-49596, has been given a CVSS score of 9.4. The MCP Inspector tool has a major flaw. When exploited, this vulnerability could lead to remote code execution, making it even more damaging to the systems that rely on these tools.
Elad Beber, a notable expert, commented on the risks associated with these vulnerabilities:
“This vulnerability is a serious breach of the Filesystem MCP Servers security model.”
The mcp-remote vulnerability affects versions 0.0.5 to 0.1.15. Thankfully, this bug has been fixed by the developer starting with version 0.1.16 on June 17, 2025. All users should immediately upgrade their installations to avoid attacks that may result from these vulnerabilities.
“Attackers can gain unauthorized access by listing, reading or writing to directories outside the allowed scope, potentially exposing sensitive files like credentials or configurations.”
Implications for Users
Rémy Marot emphasized the need for rigorous security measures in software development:
Or Peles highlighted the grave consequences associated with the mcp-remote vulnerability:
“It’s crucial to enforce security fundamentals in server development and tool usage.”
He further noted the importance of basic security practices:
“Adhering to basic security practices can significantly mitigate risks from vulnerabilities in novel systems and prevent devastating attacks.”
Or Peles highlighted the grave consequences associated with the mcp-remote vulnerability:
“The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running mcp-remote when it initiates a connection to an untrusted MCP server, posing a significant risk to users – a full system compromise.”
Peles also advised users on best practices:
“While remote MCP servers are highly effective tools for expanding AI capabilities in managed environments… MCP users need to be mindful of only connecting to trusted MCP servers using secure connection methods such as HTTPS.”