CVE-2026-25905 in mcp-run-python
Summary
by MITRE • 02/09/2026
The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Note - the "mcp-run-python" project is archived and unlikely to receive a fix.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
This vulnerability exists within the mcp-run-python project where Python code executed through runPython or runPythonAsync functions lacks proper isolation from the JavaScript environment. The flaw stems from insufficient sandboxing mechanisms that allow Python code to directly access and manipulate JavaScript APIs through Pyodide's interop capabilities. When Python code executes within this environment, it can leverage Pyodide's bridge to interact with JavaScript objects, variables, and functions, creating a dangerous attack surface where malicious Python code can manipulate the host JavaScript context. This represents a critical security issue that violates fundamental isolation principles typically expected in sandboxed execution environments.
The technical implementation of this vulnerability allows for arbitrary code execution across language boundaries through Pyodide's API access mechanisms. When Python code runs in the JavaScript environment, it can directly call JavaScript functions, modify global objects, and access sensitive data structures that should remain isolated. The vulnerability enables attackers to perform operations such as modifying JavaScript variables, injecting malicious code into the execution context, or manipulating the MCP server's operational state. This cross-language manipulation capability creates opportunities for privilege escalation and arbitrary code execution within the host environment, effectively breaking the security boundaries that should exist between Python and JavaScript execution contexts.
The operational impact of this vulnerability is severe and multifaceted, particularly for systems relying on MCP (Model Control Protocol) servers where security is paramount. Attackers could hijack MCP servers by executing malicious Python code that modifies the JavaScript environment to redirect tool calls, inject malicious responses, or manipulate the server's behavior. This enables sophisticated attacks such as MCP tool shadowing where legitimate tools are replaced with malicious counterparts, allowing attackers to intercept, modify, or redirect tool execution. The archived status of the mcp-run-python project compounds the risk as there are no planned fixes or security updates, leaving affected systems permanently vulnerable to exploitation.
This vulnerability aligns with CWE-242 (Unintended Resource Access) and CWE-749 (Exposed Dangerous Method or Function) while mapping to ATT&CK techniques including T1059.007 (Python) for execution and T1566.001 (Phishing) for initial compromise. The lack of proper isolation mechanisms violates security principles outlined in the OWASP Secure Coding Practices and represents a failure in implementing proper sandboxing controls. Organizations should immediately implement compensating controls such as restricting Python code execution to trusted sources, implementing network segmentation, and monitoring for suspicious code execution patterns. The most effective mitigation involves either removing the vulnerable functionality entirely or implementing proper language isolation mechanisms that prevent cross-language API access. Given the project's archived status, migration to alternative solutions or implementing custom isolation layers becomes essential for maintaining security posture.