mcp-remote OAuth shell injection (CVE-2025-6514)
A malicious authorization_endpoint value in mcp-remote's OAuth flow could trigger OS command execution during connection setup.
Affected systems
MCP deployments, Coding agents
Primary threats
Tool Misuse, Capability Escalation
Impact types
Remote code execution, Host compromise
CVEs
Not specified
What an auditor should now check
- Inspect OAuth handshake fields that flow into subprocess or shell wrappers
- Verify remote server metadata is schema-validated and escaped before use
- Check whether connector setup runs with excessive host privileges
Why this matters
OAuth metadata looked like configuration, but in practice it became shell influence. The lesson is that remote handshake state can be part of the prompt-to-sink path.
What happened
During the OAuth handshake, a crafted authorization_endpoint value could reach OS command execution. The exploit path did not need a poisoned prompt. It only needed a malicious remote endpoint.
Why the classification matters
Auditors should classify this as execution-sink reachability through connector metadata, not as a pure auth bug.
What an auditor should now check
- Whether discovery metadata is ever interpolated into shell commands
- Whether connector setup has the same privileges as normal runtime actions
- Whether connection-time actions are logged with enough detail for forensics
Zealynx takeaway
This is a textbook example of untrusted remote metadata crossing into an execution sink.
Control implications
- Treat OAuth discovery and metadata as attacker-reachable input
- Separate connection setup from command execution paths
- Block shell construction from transport-layer metadata
Affected systems
- MCP deployments
- Coding agents
Impact types
- Remote code execution
- Host compromise