CVE-2025-6514: mcp-remote exposed to OS command injection via untrusted MCP server connections

Severity: Critical

CVSS Score: 9.7

mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL