Ausfälle und Sicherheitsvorfälle gefährden kritische Geschäftsprozesse. Wie Notfallpläne entwickelt und Business-Impact-Analysen praxisnah durchgeführt werden, zeigt dieser Workshop. (Golem Karrierewelt, Sicherheitslücke)
Quelle: Golem
Die aktuell größte Speicherkarte für die Switch 2 ist endlich wieder bei Amazon verfügbar – und das zum Sparpreis. (Speichermedien, Nintendo)
Quelle: Golem
Der globale Open-RAN-Vorreiter Rakuten Mobile kann Verluste verringern. Auch mit 5G Stand Alone startet man, wenngleich um Jahre verspätet. (Open RAN, Mobilfunk)
Quelle: Golem
For business leaders building with AI, the conversation has moved beyond chat. The bar is higher: can your AI generate, reason, and deliver measurable outcomes—safely and at scale?
Today, we’re announcing general availability of OpenAI’s new flagship model, GPT-5, in Azure AI Foundry. This is more than a new model release; it is the most powerful LLM ever released across key benchmarks. GPT-5 in Azure AI Foundry pairs frontier reasoning with high-performance generation and cost efficiency, delivered on Microsoft Azure’s enterprise-grade platform so organizations can move from pilots to production with confidence.
Enhance customer experiences with Azure AI Foundry
GPT-5 in Azure AI Foundry: Built for real-world workloads
In Azure AI Foundry, the GPT-5 models are available via API and orchestrated by themodel router. The GPT-5 series spans complementary strengths:
GPT-5, a full reasoning model provides deep, richer reasoning for analytics and complex tasks, like code generation, with a 272k token context.
GPT-5 mini powers real-time experiences for apps and agents that require reasoning, tool calling to solve customer problems.
GPT-5 nano is a new class of reasoning model which focuses on ultra-low-latency and speed with rich Q&A capabilities.
GPT-5 chat enables natural, multimodal, multi-turn conversations that remain context-aware throughout agentic workflows, with 128k token context.
Together, the suite delivers a seamless continuum from rigorous agentic coding tasks, to relatively simple Q&A—all delivered with the same Azure AI Foundry endpoint using model router in Foundry Models.
Under the hood, GPT-5 unifies advanced reasoning, code generation, and natural language interaction. It combines analytical depth with intuitive dialogue to solve end-to-end problems and explain its approach. Agentic capabilities allow multi-step tool use and long action chains with transparent, auditable decisions. As a frontier-level coding model, GPT-5 can plan complex agentic workflow, build migrations, and refactor code, as well as produce tests and documentation with clear rationale. Developer controls—including parameters like reasoning_effort and verbosity—let teams tune depth, speed, and detail, while new freeform tool-calling features enable broadens tool compatibility without rigid schemas.
Orchestrate with the model router—then scale with agents
Introducing GPT-5 to Azure AI Foundry is more than a model drop: it’s a leap forward for the platform. Starting today, developers can use the model router in Foundry Models to maximize the capabilities of the GPT-5 family models (and other models in Foundry Models) while saving up to 60% on inferencing cost with no loss in fidelity. Powered by a fine-tuned SLM under the hood, the model router evaluates each prompt and decides the optimal model based on the complexity, performance needs, and cost efficiency of each task. Let the model router pick the right model so that you can build your AI-powered applications with ease.
And orchestration doesn’t stop at routing—Foundry carries the same intelligence into agents. Coming soon, GPT-5 will be available in the Foundry Agent Service, pairing frontier models with built-in tools including new browser automation and Model Context Protocol (MCP) integrations. The result: policy-governed, tool-using agents that can search, act in web apps, and complete end-to-end tasks—instrumented with Foundry telemetry and aligned to Microsoft Responsible AI.
Accelerating business impact with GPT-5
These capabilities map directly to business impact.
In research and knowledge work, GPT-5 accelerates financial and legal analysis, market intelligence, and due diligence—reading at scale and producing decision-ready output with traceability. In operations and decisioning, it strengthens logistics support, risk assessment, and claims processing by pairing robust reasoning with policy adherence. Copilots and customer experience teams benefit from multi-turn, multimodal agents that reason in real time, call tools, resolve tasks, and revert to humans with more helpful context.
In software engineering, GPT-5 excels at code generation, application modernization, and quality engineering—improving code style and explanations to compress review cycles.
And for use cases which are cost or latency sensitive, GPT-5-nano’s ultra‑low‑latency architecture delivers rapid, high‑accuracy responses, making it the ideal target for fine‑tuning and the go‑to model for high‑volume, straightforward requests.
GPT-5 customer spotlight
Customers are unleashing GPT-5 across complex, mission-critical workloads—accelerating decision-making, supercharging coding, and catalyzing product innovation.
SAP
SAP is excited to be among the first to leverage the power of GPT-5 in Azure AI Foundry within our generative AI hub in AI Foundation. GPT-5 in Azure AI Foundry will enable our product team and our developer community to deliver impactful business innovations to our customers.
—Dr. Walter Sun, SVP and Global Head of AI, SAP SE
Relativity
The GPT-5 in Azure AI Foundry raises the bar for putting legal data intelligence into action… This next-generation AI will empower legal teams to uncover deeper insights, accelerate decision-making, and drive stronger strategies across the entire legal process.
—Dr. Aron Ahmadia, Senior Director, Applied Science, Relativity
Hebbia
The partnership between Hebbia and Azure AI Foundry gives financial professionals an unprecedented edge. With GPT-5’s advanced reasoning in Hebbia, they can pinpoint critical figures across thousands of documents and structuring complex financial analysis with speed and accuracy.
—Danny Wheller, VP of Business and Strategy
Building with AI in GitHub Copilot and Visual Studio Code
GPT-5 begins rolling out today to millions of developers using GitHub Copilot and Visual Studio Code, applying the flagship model’s advanced reasoning capabilities to increasingly complex problems—from sophisticated refactoring to navigating large codebases more effectively. GPT-5 helps developers write, test, and deploy code faster, while supporting agentic coding tasks with significant improvements to coding style and overall code quality. With GPT-5, developers not only code faster, but code better.
With today’s VS Code release, developers also gain a more powerful agentic coding experience directly within the editor: GitHub Copilot’s coding agent has an improved experience for autonomously tackling tasks in the background. Additionally, the GitHub Copilot chat experience brings increased productivity, including support beyond 128 tools for a single chat request and chat checkpoints allowing users to restore workspace changes to a prior point. Today, we are also announcing an updated extension to develop agents using the Azure AI Foundry extension all within VS Code environment.
These announcements extend Microsoft’s strategy to transform software development with AI, bringing advanced AI capabilities to the entire software lifecycle.
Security, safety, and governance by design
In all domains, security and safety is a layer cake of protections, which together provide protection for risk scenarios—and AI is no different. For AI, we think about layers with the model as the core. With GPT-5, the core is safer than before:
The Microsoft AI Red Team found GPT-5 to have one of the strongest safety profiles of any OpenAI model, performing on par with—or better than—o3.
—Dr. Sarah Bird, Chief Product Officer of Responsible AI, Microsoft
As we think about the safety, security, and governance layers around this core—Azure AI Foundry provides a number of additional controls:
Azure AI Content Safety protections are applied to every prompt and completion, such as prompt shields, which help to detect and mitigate prompt-injection attempts before they reach the model.
Built-in agent evaluators work with the AI Red Teaming Agent to run alignment, bias, and security tests throughout development and production, while continuous evaluation streams real-time metrics—latency, quality, safety, and fairness—stream into Azure Monitor and Application Insights for single-pane visibility.
Finally, security signals integrate directly with Microsoft Defender for Cloud, and runtime metadata and evaluation results are integrated to Microsoft Purview for audit, data-loss prevention, and regulatory reporting, extending protection and governance across the entire GPT-5 lifecycle.
Bringing AI into every workflow with GitHub Copilot and Visual Studio Code
Starting today, GPT-5 begins rolling out to millions of developers who use GitHub Copilot and Visual Studio Code who will be able to select GPT-5 to write, test, and deploy code—and develop agents using the Azure AI Foundry extension all within VS Code environment. GPT-5 supports complex agentic coding tasks with significant improvements to coding personality, front-end aesthetics, and code quality, highly desired improvements for the developer community.
Our evaluations show OpenAI GPT-5’s reasoning capabilities and contextual awareness exceed o3, enabling developers to tackle more complex problems—from refactoring to navigating large codebases. With GPT-5, users in the Visual Studio family can not only code faster, but code better.
VS Code and our recent decision to open-source GitHub Copilot, represents our commitment to open tools and standards and demonstrates our ability to meet the rapid pace of model innovations while keeping the developer experience at the forefront. In today’s release of VS Code, developers can. In today’s VS Code release, developers have even more control over their experience in chat—with improvements to the reliability of terminal tools, updates to the tool picker and limits, new checkpoints, and more.
Today’s announcement extends Microsoft’s strategy to transform software development with AI, bringing advanced AI capabilities to the entire software lifecycle.
Start building today
GPT-5 is available via our Standard offering in Azure AI Foundry, with deployment choices optimized for cost-efficiency and governance needs, including Global and Data Zone (United States, European Union) deployment options for data residency and compliance.1
With Azure AI Foundry’s first-class reliability, realtime evaluations, built-in observability, and secure deployment options, you can confidently move from pilot to production—all aided while unique tools like Model Router optimizes quality, latency, and cost across workloads.
Azure AI Foundry
Design, customize, and manage powerful, adaptable AI agents to get started today.
Learn more >
1Pricing is accurate as of August 2025
The post GPT-5 in Azure AI Foundry: The future of AI apps and agents starts here appeared first on Microsoft Azure Blog.
Quelle: Azure
Privatanwender, die mehrere Windows-10-Rechner besitzen, brauchen nicht für jeden PC eine eigene ESU-Lizenz – dafür aber einen Microsoft-Account. (Windows 10, Microsoft)
Quelle: Golem
Das E-Rezept laufe der Deutschen Bahn bei der Unzuverlässigkeit den Rang ab, so die Bundesvereinigung Deutscher Apothekerverbände. (Gematik, Wirtschaft)
Quelle: Golem
Das Dojo-Team sollte bei Tesla Supercomputer entwerfen, auf denen KI-Modelle für autonome Fahrzeuge und Roboter trainiert werden. (Tesla, KI)
Quelle: Golem
Im Kampf um die besten Mitarbeiter zückt OpenAI das Scheckbuch. Knapp ein Drittel der Belegschaft erhalten Bonuszahlungen. (OpenAI, KI)
Quelle: Golem
Der Bundesgerichtshof (BGH) hat entschieden, dass Anbieter von Clouddiensten keine Abgabe für Privatkopien zahlen müssen. (Urheberabgabe, Urheberrecht)
Quelle: Golem
This is Part 2 of our MCP Horror Stories series, an in-depth look at real-world security incidents exposing the vulnerabilities in AI infrastructure, and how the Docker MCP Toolkit delivers enterprise-grade protection.
The Model Context Protocol (MCP) promised to be the “USB-C for AI applications” – a universal standard enabling AI agents like ChatGPT, Claude, and GitHub Copilot to safely connect to any tool or service. From reading emails and updating databases to managing Kubernetes clusters and sending Slack messages, MCP creates a standardized bridge between AI applications and the real world.
But as we discovered in Part 1 of this series, that promise has become a security nightmare. For Part 2, we’re covering a critical OAuth vulnerability in mcp-remote that led to credential compromise and remote code execution across AI development environments.
Today’s Horror Story: The Supply Chain Attack That Compromised 437,000 Environments
In this issue, we dive deep into CVE-2025-6514 – a critical vulnerability that turned mcp-remote, a trusted OAuth proxy used by nearly half a million developers, into a remote code execution nightmare. This supply chain attack represents the first documented case of full system compromise achieved through the MCP infrastructure, affecting AI development environments at organizations using Cloudflare, Hugging Face, Auth0, and countless others.
You’ll learn:
How a simple OAuth configuration became a system-wide security breach
The specific attack techniques that bypass traditional security controls
Why containerized MCP servers prevent entire classes of these attacks
Practical steps to secure your AI development environment today
Why This Series Matters
Each “Horror Story” in this series examines a real-world security incident that transforms laboratory findings into production disasters. These aren’t hypothetical attacks – they’re documented cases where the MCP security issues and vulnerabilities we identified in Part 1 have been successfully exploited against actual organizations and developers.
Our goal is to show the human impact behind the statistics, demonstrate how these attacks unfold in practice, and provide concrete guidance on protecting your AI development infrastructure through Docker’s security-first approach to MCP deployment.
The story begins with something every developer has done: configuring their AI client to connect to a new tool…
Caption: comic depicting OAuth vulnerability in mcp-remote horror story ~ a remote code execution nightmare
The Problem
In July 2025, JFrog Security Research discovered CVE-2025-6514. CVE-2025-6514 is a critical vulnerability in mcp-remote that affects how AI tools like Claude Desktop, VS Code, and Cursor connect to external services. With a devastating CVSS score of 9.6 out of 10, this vulnerability represents the first documented case of full remote code execution achieved against an MCP client in a real-world scenario.
The Scale of the Problem
The impact is staggering. The mcp-remote package has been downloaded more than 437,000 times, making this vulnerability a supply chain attack affecting hundreds of thousands of AI development environments. mcp-remote has been featured in integration guides from major platforms, including Cloudflare, Hugging Face, and Auth0, demonstrating its widespread enterprise adoption.
How the Attack Works
Here’s what happened: mcp-remote, a widely-used OAuth proxy for AI applications, trusts server-provided OAuth endpoints without validation. An attacker crafted a malicious authorization URL that gets executed directly by your system’s shell. When you configure your AI client to use a new tool, you’re essentially trusting that tool’s server to behave properly. CVE-2025-6514 shows what happens when that trust is misplaced.
To understand how CVE-2025-6514 became possible, we need to examine the Model Context Protocol’s architecture and identify the specific design decisions that created this attack vector. MCP consists of several interconnected components, each representing a potential point of failure in the security model.
MCP Client represents AI applications like Claude Desktop, VS Code, or Cursor that receive user prompts and coordinate API calls. In CVE-2025-6514, the client becomes an unwitting enabler, faithfully executing what it believes are legitimate OAuth flows without validating endpoint security.
mcp-remote (Third-Party OAuth Proxy) serves as the critical vulnerability point—a community-built bridge that emerged to address OAuth limitations while the MCP specification continues evolving its authentication support. This proxy handles OAuth discovery, processes server-provided metadata, and integrates with system URL handlers. However, this third-party solution’s blind trust in server-provided OAuth endpoints creates the direct pathway from malicious JSON to system compromise.
Caption: diagram showing the authentication workflow and attack surface
Communication Protocol carries JSON-RPC messages between clients and servers, including the malicious OAuth metadata that triggers CVE-2025-6514. The protocol lacks built-in validation mechanisms to detect command injection attempts in OAuth endpoints.
System Integration connects mcp-remote to operating system services through URL handlers and shell execution. When mcp-remote processes malicious OAuth endpoints, it passes them directly to system handlers—PowerShell on Windows, shell commands on Unix—enabling arbitrary code execution.
The vulnerability happens in step 4. mcp-remote receives OAuth metadata from the server and passes authorization endpoints directly to the system without validation.
Technical Breakdown: The Attack
Here’s how a developer’s machine and data get compromised:
1. Legitimate Setup
When users want to configure their LLM host, such as Claude Desktop, to connect to a remote MCP server, they follow standard procedures by editing Claude’s configuration file to add an mcp-remote command with only the remote MCP server’s URL:
{
"mcpServers": {
"remote-mcp-server-example": {
"command": "npx",
"args": [
"mcp-remote",
"http://remote.server.example.com/mcp"
]
}
}
}
2. OAuth Discovery Request
When the developer restarts Claude Desktop, mcp-remote makes a request to http://remote.server.example.com/.well-known/oauth-authorization-server to get OAuth metadata.
3. Malicious Response
Instead of legitimate OAuth config, the compromised server returns:
{
"authorization_endpoint": "a:$(cmd.exe /c whoami > c:temppwned.txt)",
"registration_endpoint": "https://remote.server.example.com/register",
"code_challenge_methods_supported": ["S256"]
}
Note: The a: protocol prefix exploits the fact that non-existing URI schemes don’t get URL-encoded, allowing the $() PowerShell subexpression to execute. This specific technique was discovered by JFrog Security Research as the most reliable way to achieve full command execution.
4. Code Execution
mcp-remote processes this like any OAuth endpoint and attempts to open it in a browser:
// Vulnerable code pattern in mcp-remote (from auth.ts)
const authUrl = oauthConfig.authorization_endpoint;
// No validation of URL format or protocol
await open(authUrl.toString()); // Uses 'open' npm package
The open() function on Windows executes:
powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -EncodedCommand '…'
Which decodes and runs:
Start "a:$(cmd.exe /c whoami > c:temppwned.txt)"
The a: protocol triggers Windows’ protocol handler, and the $() PowerShell subexpression operator executes the embedded cmd.exe command with your user privileges.
The Impact
Within seconds, the attacker now has:
Your development machine compromised
Ability to execute arbitrary commands
Access to environment variables and credentials
Potential access to your company’s internal repositories
How Docker MCP Toolkit Eliminates This Attack Vector
The current MCP ecosystem forces developers into a dangerous trade-off between convenience and security. Every time you run npx -y @untrusted/mcp-server or uvx some-mcp-tool, you’re executing arbitrary code directly on your host system with full access to:
Your entire file system
All network connections
Environment variables and secrets
System resources
This is exactly how CVE-2025-6514 achieves system compromise—through trusted execution paths that become attack vectors. When mcp-remote processes malicious OAuth endpoints, it passes them directly to your system’s shell, enabling arbitrary code execution with your user privileges.
Docker’s Security-First Architecture
Docker MCP Catalog and Toolkit represent a fundamental shift toward making security the path of least resistance. Rather than patching individual vulnerabilities, Docker built an entirely new distribution and execution model that eliminates entire classes of attacks by design. The explosive adoption of Docker’s MCP Catalog – surpassing 5 million pulls in just a few weeks – demonstrates that developers are hungry for a secure way to run MCP servers.
Docker MCP Catalog and Toolkit fundamentally solves CVE-2025-6514 by eliminating the vulnerable architecture entirely. Unlike npm packages that can be hijacked or compromised, Docker MCP Catalog and Toolkit include:
Cryptographic verification ensuring images haven’t been tampered with
Transparent build processes for Docker-built servers
Continuous security scanning for known vulnerabilities
Immutable distribution through Docker Hub’s secure infrastructure
Eliminating Vulnerable Proxy Patterns
1. Native OAuth Integration
Instead of relying on mcp-remote, Docker Desktop handles OAuth directly:
# No vulnerable mcp-remote needed
docker mcp oauth ls
github | not authorized
gdrive | not authorized
# Secure OAuth through Docker Desktop
docker mcp oauth authorize github
# Opens browser securely via Docker's OAuth flow
docker mcp oauth ls
github | authorized
gdrive | not authorized
2. No More mcp-remote Proxy
Instead of using vulnerable proxy tools, Docker provides containerized MCP servers:
# Traditional vulnerable approach:
{
"mcpServers": {
"remote-server": {
"command": "npx",
"args": ["mcp-remote", "http://remote.server.example.com/mcp"]
}
}
}
# Docker MCP Toolkit approach:
docker mcp server enable github-official
docker mcp server enable grafana
No proxy = No proxy vulnerabilities.
3. Container Isolation with Security Controls
While containerization doesn’t prevent CVE-2025-6514 (since that vulnerability occurs in the host-based proxy), Docker MCP provides defense-in-depth through container isolation for other attack vectors:
# Maximum security configuration
docker mcp gateway run
–verify-signatures
–block-network
–block-secrets
–cpus 1
–memory 1Gb
This protects against tool-based attacks, command injection in MCP servers, and other container-breakout attempts.
4. Secure Secret Management
Instead of environment variables, Docker MCP uses Docker Desktop’s secure secret store:
# Secure secret management
docker mcp secret set GITHUB_TOKEN=ghp_your_token
docker mcp secret ls
# Secrets are never exposed as environment variables
5. Network Security Controls
Prevent unauthorized outbound connections:
# Zero-trust networking
docker mcp gateway run –block-network
# Only allows pre-approved destinations like api.github.com:443
6. Real-Time Threat Protection
Active monitoring and prevention:
# Block secret exfiltration
docker mcp gateway run –block-secrets
# Scans tool responses for leaked credentials
# Resource limits prevent crypto miners
docker mcp gateway run –cpus 1 –memory 512Mb
7. Attack Prevention in Practice
The same attack that works against traditional MCP fails against Docker:
# Traditional MCP (vulnerable to CVE-2025-6514)
npx mcp-remote http://malicious-server.com/mcp
# → OAuth endpoint executed on host → PowerShell RCE → System compromised
# Docker MCP (attack contained)
docker mcp server enable untrusted-server
# → Runs in container → L7 proxy controls network → Secrets protected → Host safe
8. Practical Security Improvements
Here’s what you get with Docker MCP Toolkit:
Security Aspect
Traditional MCP
Docker MCP Toolkit
Execution Model
Direct host execution via npx/mcp-remote
Containerized isolation
OAuth Handling
Vulnerable proxy with shell execution
No proxy needed, secure gateway
Secret Management
Environment variables
Docker Desktop secure store
Network Access
Unrestricted host networking
L7 proxy with allowlisted destinations
Resource Controls
None
CPU/memory limits, container isolation
Monitoring
No visibility
Comprehensive logging with –log-calls
Best Practices for Secure MCP Deployment
Start with Docker-built servers – Choose the gold standard when available
Migrate from mcp-remote – Use containerized MCP servers instead
Enable security controls – Use –block-network and –block-secrets
Verify images – Use –verify-signatures for supply chain security
Set resource limits – Prevent resource exhaustion attacks
Monitor tool calls – Enable logging with –log-calls for audit trails
Regular security updates – Keep Docker MCP Toolkit updated
Take Action: Secure Your AI Development Today
The path to secure MCP development starts with a single step. Here’s how you can join the movement away from vulnerable MCP practices:
Browse the Docker MCP Catalog to find containerized, verified MCP servers that replace risky npm packages with enterprise-grade security.
Install Docker Desktop and run MCP servers safely in isolated containers with help with Docker MCP Toolkit. Compatible with all major AI clients including Claude Desktop, Cursor, VS Code, and more—without the security risks.
Have an MCP server? Help build the secure ecosystem by submitting it to the Docker catalog. Choose Docker-built for maximum security or community-built for container isolation benefits.
Conclusion
CVE-2025-6514 demonstrates why the current MCP ecosystem needs fundamental security improvements. By containerizing MCP servers and eliminating vulnerable proxy patterns, Docker MCP Toolkit doesn’t just patch this specific vulnerability—it prevents entire classes of host-based attacks.
Coming up in our series: MCP Horror Stories issue 3 will explore how GitHub’s official MCP integration became a vector for private repository data theft through prompt injection attacks.
Learn more
Explore the MCP Catalog: Visit the MCP Catalog to discover MCP servers that solve your specific needs securely.
Use and test hundreds of MCP Servers: Download Docker Desktop to download and use any MCP server in our catalog with your favorite clients: Gordon, Claude, Cursor, VSCode, etc
Submit your server: Join the movement toward secure AI tool distribution. Check our submission guidelines for more.
Follow our progress: Star our repository and watch for updates on the MCP Gateway release and remote server capabilities.
Read issue #1 of this MCP Horror Stories series
Quelle: https://blog.docker.com/feed/
