{"id":2344,"date":"2025-08-07T18:12:58","date_gmt":"2025-08-07T18:12:58","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/08\/07\/mcp-horror-stories-the-supply-chain-attack\/"},"modified":"2025-08-07T18:12:58","modified_gmt":"2025-08-07T18:12:58","slug":"mcp-horror-stories-the-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/08\/07\/mcp-horror-stories-the-supply-chain-attack\/","title":{"rendered":"MCP Horror Stories: The Supply Chain Attack"},"content":{"rendered":"

This is Part 2 of our MCP Horror Stories <\/em>series, an in-depth look at real-world security incidents exposing the vulnerabilities in AI infrastructure, and how the Docker MCP Toolkit delivers enterprise-grade protection.<\/p>\n

The Model Context Protocol (MCP) promised to be the \u201cUSB-C for AI applications\u201d \u2013 a universal standard enabling AI agents like ChatGPT, Claude, and GitHub Copilot to safely connect to any tool or service. From reading emails and updating databases to managing Kubernetes clusters and sending Slack messages, MCP creates a standardized bridge between AI applications and the real world.<\/p>\n

But as we discovered in Part 1 of this series<\/a>, that promise has become a security nightmare. For Part 2, we\u2019re covering a critical OAuth vulnerability in mcp-remote that led to credential compromise and remote code execution across AI development environments.<\/p>\n

Today\u2019s Horror Story: The Supply Chain Attack That Compromised 437,000 Environments<\/h2>\n

In this issue, we dive deep into CVE-2025-6514 <\/a>\u2013 a critical vulnerability that turned mcp-remote, a trusted OAuth proxy used by nearly half a million developers, into a remote code execution nightmare. This supply chain attack represents the first documented case of full system compromise achieved through the MCP infrastructure, affecting AI development environments at organizations using Cloudflare, Hugging Face, Auth0, and countless others.<\/p>\n

You\u2019ll learn:<\/p>\n

How a simple OAuth configuration became a system-wide security breach<\/p>\n

The specific attack techniques that bypass traditional security controls<\/p>\n

Why containerized MCP servers prevent entire classes of these attacks<\/p>\n

Practical steps to secure your AI development environment today<\/p>\n

Why This Series Matters<\/h3>\n

Each \u201cHorror Story\u201d in this series examines a real-world security incident that transforms laboratory findings into production disasters. These aren\u2019t hypothetical attacks \u2013 they\u2019re documented cases where the MCP security issues and vulnerabilities<\/a> we identified in Part 1 have been successfully exploited against actual organizations and developers.<\/p>\n

Our goal is to show the human impact behind the statistics, demonstrate how these attacks unfold in practice, and provide concrete guidance on protecting your AI development infrastructure through Docker\u2019s security-first approach to MCP deployment.<\/p>\n

The story begins with something every developer has done: configuring their AI client to connect to a new tool\u2026<\/p>\n

<\/div>\n

Caption: comic depicting OAuth vulnerability in mcp-remote horror story ~ a remote code execution nightmare<\/em><\/p>\n

The Problem<\/h3>\n

In July 2025, JFrog Security Research<\/a> discovered CVE-2025-6514<\/a>. CVE-2025-6514 is a critical vulnerability in mcp-remote that affects how AI tools like Claude Desktop, VS Code, and Cursor connect to external services. With a devastating CVSS score of 9.6 out of 10, this vulnerability represents the first documented case of full remote code execution achieved against an MCP client in a real-world scenario.<\/p>\n

The Scale of the Problem<\/h3>\n

The impact is staggering. The mcp-remote package has been downloaded more than 437,000 times<\/a>, making this vulnerability a supply chain attack affecting hundreds of thousands of AI development environments. mcp-remote has been featured in integration guides from major platforms, including Cloudflare<\/a>, Hugging Face<\/a>, and Auth0<\/a>, demonstrating its widespread enterprise adoption.<\/p>\n

How the Attack Works<\/h3>\n

Here\u2019s what happened: mcp-remote<\/a>, a widely-used OAuth proxy for AI applications, trusts server-provided OAuth endpoints without validation. An attacker crafted a malicious authorization URL that gets executed directly by your system\u2019s shell. When you configure your AI client to use a new tool, you\u2019re essentially trusting that tool\u2019s server to behave properly. CVE-2025-6514 shows what happens when that trust is misplaced.<\/p>\n

To understand how CVE-2025-6514 became possible, we need to examine the Model Context Protocol\u2019s architecture and identify the specific design decisions that created this attack vector. MCP consists of several interconnected components, each representing a potential point of failure in the security model.<\/p>\n

MCP Client<\/strong> represents AI applications like Claude Desktop, VS Code, or Cursor that receive user prompts and coordinate API calls. In CVE-2025-6514, the client becomes an unwitting enabler, faithfully executing what it believes are legitimate OAuth flows without validating endpoint security.<\/p>\n

mcp-remote (Third-Party OAuth Proxy)<\/strong> serves as the critical vulnerability point\u2014a community-built bridge that emerged to address OAuth limitations while the MCP specification continues evolving its authentication support. This proxy handles OAuth discovery, processes server-provided metadata, and integrates with system URL handlers. However, this third-party solution\u2019s blind trust in server-provided OAuth endpoints creates the direct pathway from malicious JSON to system compromise.<\/p>\n

<\/div>\n

Caption: diagram showing the authentication workflow and attack surface<\/em><\/p>\n

Communication Protocol<\/strong> carries JSON-RPC messages between clients and servers, including the malicious OAuth metadata that triggers CVE-2025-6514. The protocol lacks built-in validation mechanisms to detect command injection attempts in OAuth endpoints.<\/p>\n

System Integration<\/strong> connects mcp-remote to operating system services through URL handlers and shell execution. When mcp-remote processes malicious OAuth endpoints, it passes them directly to system handlers\u2014PowerShell on Windows, shell commands on Unix\u2014enabling arbitrary code execution.<\/p>\n

The vulnerability happens in step 4.<\/strong> mcp-remote receives OAuth metadata from the server and passes authorization endpoints directly to the system without validation.<\/p>\n

Technical Breakdown: The Attack<\/strong><\/h2>\n

Here\u2019s how a developer\u2019s machine and data get compromised:<\/p>\n

1. Legitimate Setup<\/h4>\n

When users want to configure their LLM host, such as Claude Desktop, to connect to a remote MCP server, they follow standard procedures by editing Claude\u2019s configuration file to add an mcp-remote command with only the remote MCP server\u2019s URL:<\/p>\n

\n{
\n “mcpServers”: {
\n “remote-mcp-server-example”: {
\n “command”: “npx”,
\n “args”: [
\n “mcp-remote”,
\n “http:\/\/remote.server.example.com\/mcp”
\n ]
\n }
\n }
\n}\n<\/div>\n

2. OAuth Discovery Request<\/h4>\n

When the developer restarts Claude Desktop, mcp-remote makes a request to http:\/\/remote.server.example.com\/.well-known\/oauth-authorization-server to get OAuth metadata.<\/p>\n

3. Malicious Response<\/h4>\n

Instead of legitimate OAuth config, the compromised server returns:<\/p>\n

\n{
\n “authorization_endpoint”: “a:$(cmd.exe \/c whoami > c:\\temp\\pwned.txt)”,
\n “registration_endpoint”: “https:\/\/remote.server.example.com\/register”,
\n “code_challenge_methods_supported”: [“S256”]
\n}\n<\/div>\n

Note: The a: protocol prefix exploits the fact that non-existing URI schemes don\u2019t get URL-encoded, allowing the $() PowerShell subexpression to execute. This specific technique was discovered by JFrog Security Research as the most reliable way to achieve full command execution.<\/p>\n

4. Code Execution<\/h4>\n

mcp-remote processes this like any OAuth endpoint and attempts to open it in a browser:<\/p>\n

\n\/\/ Vulnerable code pattern in mcp-remote (from auth.ts)
\nconst authUrl = oauthConfig.authorization_endpoint;
\n\/\/ No validation of URL format or protocol
\nawait open(authUrl.toString()); \/\/ Uses ‘open’ npm package\n<\/div>\n

The open() function on Windows executes:<\/p>\n

\npowershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -EncodedCommand ‘…’\n<\/div>\n

Which decodes and runs:<\/p>\n

\nStart “a:$(cmd.exe \/c whoami > c:\\temp\\pwned.txt)”\n<\/div>\n

The a: protocol triggers Windows\u2019 protocol handler, and the $() PowerShell subexpression operator executes the embedded cmd.exe command with your user privileges.<\/p>\n

The Impact<\/h3>\n

Within seconds, the attacker now has:<\/p>\n

Your development machine compromised<\/p>\n

Ability to execute arbitrary commands<\/p>\n

Access to environment variables and credentials<\/p>\n

Potential access to your company\u2019s internal repositories<\/p>\n

How Docker MCP Toolkit Eliminates This Attack Vector<\/h2>\n

The current MCP ecosystem forces developers into a dangerous trade-off between convenience and security. Every time you run npx -y @untrusted\/mcp-server or uvx some-mcp-tool, you\u2019re executing arbitrary code directly on your host system with full access to:<\/p>\n

Your entire file system<\/p>\n

All network connections<\/p>\n

Environment variables and secrets<\/p>\n

System resources<\/p>\n

This is exactly how CVE-2025-6514 achieves system compromise\u2014through trusted execution paths that become attack vectors. When mcp-remote processes malicious OAuth endpoints, it passes them directly to your system\u2019s shell, enabling arbitrary code execution with your user privileges.<\/p>\n

Docker\u2019s Security-First Architecture<\/h3>\n

Docker MCP Catalog and Toolkit represent a fundamental shift toward making security the path of least resistance. Rather than patching individual vulnerabilities, Docker built an entirely new distribution and execution model that eliminates entire classes of attacks by design. The explosive adoption of Docker\u2019s MCP Catalog \u2013 surpassing 5 million pulls in just a few weeks \u2013 demonstrates that developers are hungry for a secure way to run MCP servers.\u00a0<\/p>\n

Docker MCP Catalog and Toolkit fundamentally solves CVE-2025-6514 by eliminating the vulnerable architecture entirely. Unlike npm packages that can be hijacked or compromised, Docker MCP Catalog and Toolkit include:<\/p>\n

Cryptographic verification<\/strong> ensuring images haven\u2019t been tampered with<\/p>\n

Transparent build processes<\/strong> for Docker-built servers<\/p>\n

Continuous security scanning<\/strong> for known vulnerabilities<\/p>\n

Immutable distribution<\/strong> through Docker Hub\u2019s secure infrastructure<\/p>\n

Eliminating Vulnerable Proxy Patterns<\/h3>\n

1. Native OAuth Integration<\/h4>\n

Instead of relying on mcp-remote, Docker Desktop handles OAuth directly:<\/p>\n

\n# No vulnerable mcp-remote needed
\ndocker mcp oauth ls
\ngithub | not authorized
\ngdrive | not authorized\n

# Secure OAuth through Docker Desktop
\ndocker mcp oauth authorize github
\n# Opens browser securely via Docker’s OAuth flow<\/p>\n

docker mcp oauth ls
\ngithub | authorized
\ngdrive | not authorized <\/p>\n<\/div>\n

2. No More mcp-remote Proxy<\/h4>\n

Instead of using vulnerable proxy tools, Docker provides containerized MCP servers:<\/p>\n

\n# Traditional vulnerable approach:
\n{
\n “mcpServers”: {
\n “remote-server”: {
\n “command”: “npx”,
\n “args”: [“mcp-remote”, “http:\/\/remote.server.example.com\/mcp”]
\n }
\n }
\n}\n

# Docker MCP Toolkit approach:
\ndocker mcp server enable github-official
\ndocker mcp server enable grafana\n<\/p><\/div>\n

No proxy = No proxy vulnerabilities.<\/p>\n

3. Container Isolation with Security Controls<\/h4>\n

While containerization doesn\u2019t prevent CVE-2025-6514 (since that vulnerability occurs in the host-based proxy), Docker MCP provides defense-in-depth through container isolation for other attack vectors:<\/p>\n

\n# Maximum security configuration
\ndocker mcp gateway run
\n –verify-signatures
\n –block-network
\n –block-secrets
\n –cpus 1
\n –memory 1Gb\n<\/div>\n

This protects against tool-based attacks, command injection in MCP servers, and other container-breakout attempts.<\/p>\n

4. Secure Secret Management<\/h4>\n

Instead of environment variables, Docker MCP uses Docker Desktop\u2019s secure secret store:<\/p>\n

\n# Secure secret management
\ndocker mcp secret set GITHUB_TOKEN=ghp_your_token
\ndocker mcp secret ls
\n# Secrets are never exposed as environment variables\n<\/div>\n

5. Network Security Controls<\/h4>\n

Prevent unauthorized outbound connections:<\/p>\n

\n# Zero-trust networking
\ndocker mcp gateway run –block-network
\n# Only allows pre-approved destinations like api.github.com:443\n<\/div>\n

6. Real-Time Threat Protection<\/h4>\n

Active monitoring and prevention:<\/p>\n

\n# Block secret exfiltration
\ndocker mcp gateway run –block-secrets
\n# Scans tool responses for leaked credentials\n

# Resource limits prevent crypto miners
\ndocker mcp gateway run –cpus 1 –memory 512Mb\n<\/p><\/div>\n

7. Attack Prevention in Practice<\/h4>\n

The same attack that works against traditional MCP fails against Docker:<\/p>\n

\n# Traditional MCP (vulnerable to CVE-2025-6514)
\nnpx mcp-remote http:\/\/malicious-server.com\/mcp
\n# \u2192 OAuth endpoint executed on host \u2192 PowerShell RCE \u2192 System compromised\n

# Docker MCP (attack contained)
\ndocker mcp server enable untrusted-server
\n# \u2192 Runs in container \u2192 L7 proxy controls network \u2192 Secrets protected \u2192 Host safe<\/p>\n<\/div>\n

8. Practical Security Improvements<\/h4>\n

Here\u2019s what you get with Docker MCP Toolkit:<\/p>\n

\n

Security Aspect<\/p>\n

Traditional MCP<\/p>\n

Docker MCP Toolkit<\/p>\n

Execution Model<\/p>\n

Direct host execution via npx\/mcp-remote<\/p>\n

Containerized isolation<\/p>\n

OAuth Handling<\/p>\n

Vulnerable proxy with shell execution<\/p>\n

No proxy needed, secure gateway<\/p>\n

Secret Management<\/p>\n

Environment variables<\/p>\n

Docker Desktop secure store<\/p>\n

Network Access<\/p>\n

Unrestricted host networking<\/p>\n

L7 proxy with allowlisted destinations<\/p>\n

Resource Controls<\/p>\n

None<\/p>\n

CPU\/memory limits, container isolation<\/p>\n

Monitoring<\/p>\n

No visibility<\/p>\n

Comprehensive logging with –log-calls<\/p>\n<\/div>\n

Best Practices for Secure MCP Deployment<\/h2>\n

Start with Docker-built servers \u2013 Choose the gold standard when available<\/p>\n

Migrate from mcp-remote \u2013 Use containerized MCP servers instead<\/p>\n

Enable security controls \u2013 Use –block-network and –block-secrets<\/p>\n

Verify images \u2013 Use –verify-signatures for supply chain security<\/p>\n

Set resource limits \u2013 Prevent resource exhaustion attacks<\/p>\n

Monitor tool calls \u2013 Enable logging with –log-calls for audit trails<\/p>\n

Regular security updates \u2013 Keep Docker MCP Toolkit updated<\/p>\n

Take Action: Secure Your AI Development Today<\/h2>\n

The path to secure MCP development starts with a single step. Here\u2019s how you can join the movement away from vulnerable MCP practices:<\/p>\n

Browse the Docker MCP Catalog<\/a> to find containerized, verified MCP servers that replace risky npm packages with enterprise-grade security.<\/p>\n

Install Docker Desktop<\/a> and run MCP servers safely in isolated containers with help with Docker MCP Toolkit. Compatible with all major AI clients including Claude Desktop, Cursor, VS Code, and more\u2014without the security risks.<\/p>\n

Have an MCP server? Help build the secure ecosystem by submitting it<\/a> to the Docker catalog. Choose Docker-built for maximum security or community-built for container isolation benefits.<\/p>\n

Conclusion<\/h3>\n

CVE-2025-6514 demonstrates why the current MCP ecosystem needs fundamental security improvements. By containerizing MCP servers<\/a> and eliminating vulnerable proxy patterns, Docker MCP Toolkit doesn\u2019t just patch this specific vulnerability\u2014it prevents entire classes of host-based attacks.<\/p>\n

Coming up in our series: MCP Horror Stories issue 3 will explore how GitHub\u2019s official MCP integration became a vector for private repository data theft through prompt injection attacks.<\/em><\/p>\n

Learn more<\/h3>\n

Explore the MCP Catalog<\/strong>: Visit the MCP Catalog<\/a> <\/a>to discover MCP servers that solve your specific needs securely.<\/p>\n

Use and test hundreds of MCP Servers<\/strong>: Download Docker Desktop<\/a> <\/a>to download and use any MCP server in our catalog with your favorite clients: Gordon, Claude, Cursor, VSCode, etc<\/p>\n

Submit your server<\/strong>: Join the movement toward secure AI tool distribution. Check our submission guidelines<\/a> for more.<\/p>\n

Follow our progress<\/strong>: Star our repository and watch for updates on the MCP Gateway release <\/a>and remote server capabilities.<\/p>\n

Read issue #1<\/a> of this MCP Horror Stories series<\/p>","protected":false},"excerpt":{"rendered":"

This is Part 2 of our MCP Horror Stories series, an in-depth look at real-world security incidents exposing the vulnerabilities […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[],"class_list":["post-2344","post","type-post","status-publish","format-standard","hentry","category-docker"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=2344"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2344\/revisions"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=2344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=2344"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=2344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}