mcp-remote OS Command Injection Vulnerability Leading to Remote Code Execution

A command injection vulnerability has been identified in mcp-remote, a tool used to connect Large Language Model (LLM) clients to remote Model Context Protocol (MCP) servers. This vulnerability allows for arbitrary operating system command execution on the machine running mcp-remote, but only when connected to untrusted MCP servers. The issue arises from crafted input in the authorization_endpoint response URL, which mcp-remote processes in a way that can be exploited. The vulnerability affects mcp-remote versions 0.0.5 prior to 0.1.15 and has been fixed in version 0.1.16.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution on the client machine. On Windows, this is achieved with full parameter control, while on macOS and Linux, it allows execution of arbitrary executables with limited parameter control, although full command execution may be possible with further research.

Reproduction

To reproduce this vulnerability, connect to an untrusted MCP server using an affected version of mcp-remote. When the server responds with a crafted authorization_endpoint URL that includes a file URI pointing to an executable, mcp-remote will attempt to open this URL in a browser. Due to the way the 'open' function is implemented, this will trigger the execution of the specified executable. On Windows, this can be done by using a file URI that includes a PowerShell command, taking advantage of how PowerShell executes commands through subexpression evaluation.

Remediation

Update mcp-remote to version 0.1.16 or later, and only connect to trusted MCP servers using secure connections.