Transport

mcp remote

Remote MCP servers run over Server-Sent Events (SSE) for server-to-client streaming and HTTP POST for client-to-server requests. The mcp-remote npm package implements this transport on the client side for hosts that do not ship native SSE support. It is also the package behind CVE-2025-6514, a critical OS command injection vulnerability disclosed in June 2025.

How remote MCP differs from local stdio

• stdio. Client spawns the server as a child process. Messages move over stdin and stdout. No network surface. The server inherits the host process's permissions: env vars, file system, credentials.
• Remote (SSE + HTTP). Server runs as an HTTP endpoint. The client opens a long-lived SSE connection for server-to-client messages and POSTs to a separate URL for outbound requests. The endpoint negotiates the POST URL at connection time.
• Auth. Local stdio inherits whatever the host has. Remote MCP usually runs OAuth 2.1 with PKCE on the HTTP transport.

What the mcp-remote package does

• Wraps the remote MCP transport so a stdio-only host can connect to an SSE+HTTP server.
• Spawns locally as a stdio bridge, opens SSE plus HTTP to the remote server, marshals JSON-RPC messages between the two.
• Handles the OAuth 2.1 flow on behalf of the host: opens a browser for user consent, captures the redirect, exchanges the code for tokens.

CVE-2025-6514 walkthrough

Disclosed June 2025. CVSS 9.6 critical OS command injection. Affects mcp-remote versions >= 0.0.5, < 0.1.16. Patched in v0.1.16, released June 17, 2025.

1. During the OAuth discovery phase, the remote MCP server returns an authorization_endpoint URL. The client is supposed to open this URL in a browser so the user can sign in and grant consent.
2. mcp-remote passes the URL string to the open npm package, which delegates to the OS shell command for launching default applications.
3. On Windows, open invokes PowerShell. PowerShell evaluates the URL string as input, including any subexpression syntax embedded in it.
4. A crafted endpoint like http://example.com/auth?id=$(calc.exe) causes PowerShell to execute the subexpression before the browser ever launches.
5. The remote server controls the authorization_endpoint value. Connecting to an untrusted MCP server is sufficient to trigger pre-auth Remote Code Execution on the client machine.

The broader lesson

CVE-2025-6514 is one instance of a wider class. The stdio transport itself has a documented configuration-to-command flaw disclosed in April 2026 across Letta AI, LangFlow, and Windsurf, affecting 150M+ downloads. Both cases share a shape: client code passes server-supplied data to an OS command surface without isolating the trust domains. mcp-remote is one SSE-side implementation of that class.

Mitigation

• Update mcp-remote to v0.1.16 or later.
• Treat any URL received from an MCP server as untrusted input. Validate scheme, host, and character set before passing it to any OS command or browser launcher.
• Sandbox the OAuth flow. Run the browser launch in a constrained subprocess so a compromised endpoint cannot escalate to the host's privileges.
• Audit the client for similar patterns. Anywhere client code passes a server-controlled string to a shell, launcher, or interpreter is the same class of bug.

Related on MCPowered

• MCP architecture. Transport mechanics: JSON-RPC 2.0, the initialize handshake, stdio vs SSE vs HTTP.
• MCP security. The four spec-level attack patterns plus dated incidents in the ecosystem.
• MCP security best practices. Concrete controls for hosts and server publishers.
• Tool poisoning. The attack pattern that lives in tool descriptions rather than the wire.
• Scan an MCP server. Submit a server URL or repo and get a trust report.