GHSA-PFV4-WMPH-5GC6
Vulnerability from github – Published: 2026-02-09 09:30 – Updated: 2026-02-12 03:09Impact
Critical Sandbox Escape & Server Takeover:
A critical security vulnerability exists in mcp-run-python due to a lack of isolation between the Python runtime (Pyodide) and the host JavaScript environment.
The runPython and runPythonAsync functions execute Python code using Pyodide without restricting access to the JavaScript bridge. This allows any executed Python code—whether from a user or an AI model—to access the js module in Pyodide. Through this bridge, the Python code can modify the global JavaScript environment, interact with the Node.js process, and alter the behavior of the MCP server.
Specific Attack Vector: MCP Tool Shadowing Because the Python code can modify the JS runtime, an attacker can dynamically overwrite or "shadow" existing MCP tools registered on the server. For example, an attacker could replace a secure file-reading tool with a malicious version that exfiltrates data to an external server, all while the MCP server appears to be functioning normally.
Patches
No Patch Available:
The mcp-run-python project is currently archived and maintainers have indicated it is unlikely to receive a fix.
Recommendation: Users are strongly advised to immediately stop using this package. If functionality is required, users must migrate to a maintained alternative that implements proper sandboxing (e.g., running Python in a Docker container or a restricted WASM environment with the JS bridge disabled).
Workarounds
There are no configuration-based workarounds. Securing the environment requires modifying the source code to disable the Pyodide-to-JS bridge or moving the execution environment to a fully isolated sandbox (e.g., a separate container).
Resources
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mcp-run-python"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25905"
],
"database_specific": {
"cwe_ids": [
"CWE-653"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-12T03:09:38Z",
"nvd_published_at": "2026-02-09T09:16:34Z",
"severity": "MODERATE"
},
"details": "### Impact\n**Critical Sandbox Escape \u0026 Server Takeover:**\nA critical security vulnerability exists in `mcp-run-python` due to a lack of isolation between the Python runtime (Pyodide) and the host JavaScript environment.\n\nThe `runPython` and `runPythonAsync` functions execute Python code using Pyodide without restricting access to the JavaScript bridge. This allows any executed Python code\u2014whether from a user or an AI model\u2014to access the `js` module in Pyodide. Through this bridge, the Python code can modify the global JavaScript environment, interact with the Node.js process, and alter the behavior of the MCP server.\n\n**Specific Attack Vector: MCP Tool Shadowing**\nBecause the Python code can modify the JS runtime, an attacker can dynamically overwrite or \"shadow\" existing MCP tools registered on the server. For example, an attacker could replace a secure file-reading tool with a malicious version that exfiltrates data to an external server, all while the MCP server appears to be functioning normally.\n\n### Patches\n**No Patch Available:**\nThe `mcp-run-python` project is currently **archived** and maintainers have indicated it is unlikely to receive a fix.\n\n**Recommendation:**\nUsers are strongly advised to **immediately stop using** this package.\nIf functionality is required, users must migrate to a maintained alternative that implements proper sandboxing (e.g., running Python in a Docker container or a restricted WASM environment with the JS bridge disabled).\n\n### Workarounds\nThere are no configuration-based workarounds. Securing the environment requires modifying the source code to disable the Pyodide-to-JS bridge or moving the execution environment to a fully isolated sandbox (e.g., a separate container).\n\n### Resources\n* [CVE-2026-25905](https://nvd.nist.gov/vuln/detail/CVE-2026-25905)\n* [JFrog Security Analysis: MCP Takeover](https://research.jfrog.com/vulnerabilities/mcp-run-python-lack-of-isolation-mcp-takeover-jfsa-2026-001653030)",
"id": "GHSA-pfv4-wmph-5gc6",
"modified": "2026-02-12T03:09:38Z",
"published": "2026-02-09T09:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25905"
},
{
"type": "PACKAGE",
"url": "https://github.com/pydantic/mcp-run-python"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/mcp-run-python-lack-of-isolation-mcp-takeover-jfsa-2026-001653030"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "MCP Run Python has a Sandbox Escape \u0026 Server Takeover Vulnerability"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.