CVE-2026-25905
📋 TL;DR
This vulnerability in the archived 'mcp-run-python' project allows Python code executed via Pyodide to modify the JavaScript environment without isolation. Attackers could hijack the MCP server to shadow legitimate MCP tools for malicious purposes. Only systems using this archived project are affected.
💻 Affected Systems
- mcp-run-python
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete MCP server takeover allowing attackers to intercept, modify, or impersonate all MCP tools, potentially leading to data exfiltration, system compromise, or lateral movement.
Likely Case
Selective MCP tool manipulation where attackers shadow specific tools to intercept sensitive data or execute unauthorized commands through trusted interfaces.
If Mitigated
Limited impact through proper input validation and sandboxing, though the fundamental isolation flaw remains in the archived codebase.
🎯 Exploit Status
Exploitation requires ability to execute Python code through the vulnerable functions, which typically requires some level of access or input injection capability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://research.jfrog.com/vulnerabilities/mcp-run-python-lack-of-isolation-mcp-takeover-jfsa-2026-001653030/
Restart Required: No
Instructions:
No official patch exists as the project is archived. Consider migrating to alternative solutions or implementing custom isolation layers.
🔧 Temporary Workarounds
Disable Python Execution
allRemove or disable the 'runPython' and 'runPythonAsync' functionality entirely
# Remove mcp-run-python dependency from package.json
# Disable Python execution hooks in your application
Implement Custom Sandboxing
allWrap Python execution in a custom isolation layer using iframes, Web Workers, or restricted contexts
# Implement custom sandboxing wrapper around Pyodide execution
# Example: const safeEval = (code) => { /* isolation logic */ }
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all Python code inputs
- Monitor for unusual MCP tool behavior or unexpected Pyodide API calls
🔍 How to Verify
Check if Vulnerable:
Check if your application imports or uses 'mcp-run-python' package or similar Pyodide integration without proper isolationCheck Version:
npm list mcp-run-python 2>/dev/null || echo 'Package not found'Verify Fix Applied:
Verify that Python code execution is either disabled or properly isolated from JavaScript environment📡 Detection & Monitoring
Log Indicators:
- Unexpected Pyodide API calls from Python context
- MCP tool registration failures or duplicates
- Python execution errors in server logs
Network Indicators:
- Unusual MCP protocol traffic patterns
- Unexpected tool responses or behavior
SIEM Query:
search 'mcp-run-python' OR 'Pyodide' AND ('error' OR 'unexpected' OR 'malformed') in application logs