CVE-2026-25904
📋 TL;DR
CVE-2026-25904 is a Server-Side Request Forgery (SSRF) vulnerability in Pydantic-AI MCP Run Python tool's Deno sandbox configuration. The overly permissive settings allow Python code to access the localhost interface, enabling attackers to perform SSRF attacks against internal services. This affects users of the archived 'mcp-run-python' project who run untrusted Python code through this tool.
💻 Affected Systems
- Pydantic-AI MCP Run Python tool
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot from the vulnerable application to attack internal services on localhost, potentially accessing sensitive data, executing commands on internal systems, or performing lateral movement within the network.
Likely Case
Attackers could scan internal services, access metadata endpoints, or interact with internal APIs that are only accessible from localhost, potentially exposing sensitive information or enabling further attacks.
If Mitigated
With proper network segmentation and access controls, the impact would be limited to the local host system only, preventing lateral movement to other internal systems.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited and this specific configuration issue is straightforward to abuse. The JFrog research article provides technical details about the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://research.jfrog.com/vulnerabilities/mcp-run-python-deno-ssrf-jfsa-2026-001653029/
Restart Required: No
Instructions:
No official patch is available since the project is archived. Consider workarounds or alternative solutions.
🔧 Temporary Workarounds
Restrict Deno Sandbox Permissions
allModify the Deno sandbox configuration to restrict network access and prevent localhost connections
Modify the Deno runtime configuration to use: --allow-net=none or restrict to specific domains
Network Isolation
allRun the vulnerable tool in a container or VM with restricted network access
docker run --network=none ...
Use firewalls to block outbound connections from the tool
🧯 If You Can't Patch
- Discontinue use of mcp-run-python and migrate to alternative tools with proper sandboxing
- Implement strict input validation and sanitization for any Python code executed through the tool
🔍 How to Verify
Check if Vulnerable:
Check if you are using mcp-run-python tool and review the Deno sandbox configuration for overly permissive network settingsCheck Version:
Check your project dependencies for mcp-run-python usageVerify Fix Applied:
Test if Python code executed through the tool can still make requests to localhost or internal services📡 Detection & Monitoring
Log Indicators:
- Unusual outbound network connections from the tool to localhost addresses
- Multiple failed connection attempts to internal services
Network Indicators:
- Unexpected traffic from the tool's process to localhost services
- SSRF patterns in HTTP requests originating from the tool
SIEM Query:
source_process="mcp-run-python" AND dest_ip=127.0.0.0/8