Report 5575
Two critical remote code execution vulnerabilities in the Model Context Protocol (MCP) ecosystem have laid bare the hidden risks lurking in what's quickly becoming AI's new backbone infrastructure.
Reported by Tenable and JFrog Security Research, respectively, the flaws expose developers and end users to attacks that could allow adversaries to take over systems and run arbitrary code on them with relative ease.
AI's New (Vulnerable) Plumbing
MCP is an Anthropic-developed open source standard for AI models to securely connect to and interact with data sources such as databases, content repositories and tools. It enables AI models like Anthropic's Claude, for example, to retrieve live data from Slack, update Jira tickets, or query customer databases, all in a standard, secure manner, through a client-server architecture.
"Think of MCP as a universal adapter for AI applications, similar to what USB-C is for physical devices," is how the official description puts it. "USB-C acts as a universal adapter to connect devices to various peripherals and accessories. Similarly, MCP provides a standardized way to connect AI applications to different data and tools."
The vulnerabilities that Tenable and JFrog reported this week affect different components of the MCP ecosystem.
The flaw that Tenable discovered, CVE-2025-49596, affects Anthropic's MCP Inspector open source tool for testing and debugging MCP servers. MCP servers basically act as a sort of middle layer between an AI model and the data source to which it connects. According to one site that's tracking the numbers, there are close to 5,000 MCP servers worldwide that organizations can integrate their AI models with, for a wide variety of use cases. Unfortunately, many of these are misconfigured or otherwise insecure and put organizations using them at heightened risk of attack.
Critical RCE Security Bugs
CVE-2025-49596, which has a critical rating of 9.4 on the Common Vulnerability Scoring System (CVSS) severity scale, has to do with a proxy-server component in MCP Inspector accepting connections without authentication or origin validation from any IP address, thus making it accessible from anywhere on the network, and potentially the Internet. The flaw affects versions of MCP Inspector prior to 0.14.1. Anthropic has issued a fix for the flaw and is adding session token authentication and origin validation to mitigate the threat.
Rémy Marot, staff research engineer at Tenable, says there are two main exploitation scenarios. If an attacker is on the same network as the machine hosting the proxy instance, they can directly inject malicious commands into it. Attackers can also exploit the vulnerability by sending crafted HTTP requests via a malicious webpage, and tricking the proxy into executing arbitrary code on the developer's machine.
"An attack chain begins with an attacker creating a malicious website hosting a malicious JavaScript, which will perform cross-site requests," Marot says. "If a developer using a vulnerable version of MCP Inspector visits this malicious website, the malicious script will execute, fully compromising the developer's workstation."
The flaw that JFrog uncovered meanwhile, CVE-2025-6514, is a command-injection issue that affects the open source mcp-remote project. As JFrog described it, "Mcp-remote is a proxy that enables Large Language Model (LLM) hosts such as Claude Desktop to communicate with remote MCP servers, even if natively they only support communicating with local MCP servers."
With a CVSS score of 9.6, CVE-2025-6514 is a critical improper-sanitization issue that enables OS command injection on clients running mcp-remote. The vulnerability is present in mcp-remote versions 0.0.5 to 0.1.15.
"Anyone using mcp-remote that connects to an untrusted or insecure MCP server using an affected version is vulnerable to this attack," according to JFrog. The security vendor urged effected organizations to update mcp-remote to version 0.1.16 to mitigate risk and to ensure they only connect to trusted MCP servers over HTTPS.
MCP Adoption Outpacing Security
Shachar Menashe, JFrog's vice president of security research, says attackers that are already on a local network can relatively easily use a man-in-the-middle (MITM) attack to sniff LAN traffic, see if anyone is making HTTP requests to the vulnerable endpoint, and inject malicious responses. Leveraging the vulnerability remotely is harder because an attacker would have to know the victim is using mcp-remote. But there are scenarios where a remote attacker could feed crafted data to MCP clients and take over their systems, he says.
Soujanya Ain, product marketing manager at GitGuardian, says the rapid adoption of MCP is outpacing the security readiness of organizations that are harnessing it to enable agentic AI capabilities. "MCP servers are the backbone of agentic workflows, and [they] are rapidly multiplying, with over 5,000 already published to public registries like Smithery.ai," Ain says.
She points to research that GitGuardian conducted recently which shows that 5.2% of these servers have leaked at least one secret --- a figure that is notably higher than the 4.6% baseline across all GitHub repos. "These leaks include high-risk credentials like bearer tokens and X-API-Keys, the very kind that allow lateral movement, cloud access, and data exfiltration if compromised," she says.
A lot of this is happening because organizations are racing to adopt MCP without clear policies or security guardrails. The rapidly growing use of the MCP protocol has introduced new attack vectors including tool squatting, prompt injection, and unauthorized privilege escalation via misconfigured local MCPs servers.
"Because LLMs can orchestrate these tools without human oversight, a compromised agent can silently chain together actions --- reading files, calling APIs, even triggering infrastructure changes --- all under the radar," Ain says,
Security teams also aren't yet thinking of MCP servers as infrastructure, which is creating a huge blind spot, Ain notes: "Like all infrastructure, MCP server need hardened interfaces, scoped credentials, audit trails, and most critically, identity-aware access policies."