mcp-remote (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package mcp-remote, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (1)
CVE-2025-6514 — CVSS 9.6 (critical): mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint…