MCP Remote

v0.0.18

Remote MCP server connection over HTTP with SSE transport. WARNING: Critical command injection vulnerability (CVE-2025-6514).

By Glen MaddernMIT

typescript

developer tools

1.9Kstars

42.0Kdownloads

245forks

Scanned Feb 1, 2026

Website Repository NPM

remote http sse vulnerable

F25%

Scanned 6d ago

Critical Issues

Vulnerabilities Found

3Crit

3High

3Med

3Low

4Info

Security ScoreF

out of 100

Vulnerabilities Found

Crit

High

Medi

Low

Info

Last scanned: 2/1/2026

Quality ScoreF

out of 100

Maint.

Popular

Docs

Compat

Maintenance45%

Popularity47%

Documentation50%

Compatibility48%

Maintenance45

Active

6 days ago

Commit Frequency45%

Release Frequency41%

Issue Response45%

Popularity47

1.9K

Stars

42.0K

Downloads

245

Forks

Stars Score59%

Downloads Score71%

Forks Score62%

Documentation50

README Quality84%

Available Documentation

API DocsExamplesChangelog

Compatibility48

MCP Spec Compliance50%

Transport Support100%

Features

TypeScript

Supported Transports

SSEHTTP

Vulnerabilities(16)

3Critical

3High

3Medium

3Low

4Info

Filter:

READMEMCP Remote

View source

MCP Remote

⚠️ SECURITY VULNERABILITY ⚠️

This package has a critical command injection vulnerability (CVE-2025-6514) with a CVSS score of 9.3.

Vulnerability Details

The mcp-remote package allows connecting to remote MCP servers over HTTP. However, versions prior to 0.0.19 have a critical command injection vulnerability where unsanitized server URLs can lead to arbitrary command execution.

Impact

An attacker can execute arbitrary commands on the client machine by crafting a malicious server URL.

Mitigation

Update to version 0.0.19 or later which includes input sanitization.

Original Features

Connect to remote MCP servers
SSE transport support
URL-based server discovery

Embed Security Badge

Add this badge to your README or documentation

Badge Type

Style

[![MCP Remote MCPSafe Security](https://api.mcpsafe.org
/api/badge/mcp-remote.svg)](https://mcpsafe.org/registry/mcp-remote)

Need more customization options?Badge Documentation

Server Information

Source: NPM
Package: mcp-remote
Version: 0.0.18
Language: typescript
License: MIT
Transport: SSE
HTTP
Added: Jan 20, 2026
Updated: Feb 1, 2026

Actions

Compare with other servers Request rescan

MCP Remote

Security ScoreF

Vulnerabilities Found

Quality ScoreF

Maintenance45

Popularity47

Documentation50

Available Documentation

Compatibility48

Features

Supported Transports

Vulnerabilities(16)

Remote Code Execution via eval()

SQL Injection in Query Builder

Command Injection via shell exec

Path Traversal Vulnerability

Hardcoded API Credentials

Prototype Pollution

Insecure Random Number Generation

Missing Input Validation in MCP Tool

Excessive Permission Request

Missing Rate Limiting

Verbose Error Messages

Outdated Dependency

Missing Security Headers

Console Logging in Production

Missing TypeScript Strict Mode

Missing Documentation

READMEMCP Remote

MCP Remote

Vulnerability Details

Impact

Mitigation

Original Features

Embed Security Badge

Server Information

Actions