{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25905", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "state": "PUBLISHED", "assignerShortName": "JFROG", "dateReserved": "2026-02-08T11:19:42.865Z", "datePublished": "2026-02-09T09:01:16.728Z", "dateUpdated": "2026-02-09T12:55:24.415Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.org/project/pip", "packageName": "mcp-run-python", "versions": [{"status": "affected", "version": "0", "versionType": "python"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Note - the \"mcp-run-python\" project is archived and unlikely to receive a fix.</p>"}], "value": "The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Note - the \"mcp-run-python\" project is archived and unlikely to receive a fix."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-653", "description": "CWE-653 Improper Isolation or Compartmentalization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2026-02-09T09:01:16.728Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://research.jfrog.com/vulnerabilities/mcp-run-python-lack-of-isolation-mcp-takeover-jfsa-2026-001653030/"}], "source": {"discovery": "EXTERNAL"}, "title": "Lack of isolation in mcp-run-python leads to MCP server takeover"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T12:55:11.621045Z", "id": "CVE-2026-25905", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T12:55:24.415Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25905", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T12:55:11.621045Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T12:55:19.471Z"}}], "cna": {"title": "Lack of isolation in mcp-run-python leads to MCP server takeover", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"versions": [{"status": "affected", "version": "0", "versionType": "python"}], "packageName": "mcp-run-python", "collectionURL": "https://pypi.org/project/pip"}], "references": [{"url": "https://research.jfrog.com/vulnerabilities/mcp-run-python-lack-of-isolation-mcp-takeover-jfsa-2026-001653030/", "tags": ["third-party-advisory"]}], "descriptions": [{"lang": "en", "value": "The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Note - the \"mcp-run-python\" project is archived and unlikely to receive a fix.", "supportingMedia": [{"type": "text/html", "value": "<p>The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Note - the \"mcp-run-python\" project is archived and unlikely to receive a fix.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-653", "description": "CWE-653 Improper Isolation or Compartmentalization"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2026-02-09T09:01:16.728Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25905", "state": "PUBLISHED", "dateUpdated": "2026-02-09T12:55:24.415Z", "dateReserved": "2026-02-08T11:19:42.865Z", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "datePublished": "2026-02-09T09:01:16.728Z", "assignerShortName": "JFROG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Note - the \"mcp-run-python\" project is archived and unlikely to receive a fix."}, {"lang": "es", "value": "El c\u00f3digo Python ejecutado por 'runPython' o 'runPythonAsync' no est\u00e1 aislado del resto del c\u00f3digo JS, permitiendo que cualquier c\u00f3digo Python utilice las API de Pyodide para modificar el entorno JS. Esto puede resultar en que un atacante secuestre el servidor MCP - con fines maliciosos, incluida la suplantaci\u00f3n de herramientas MCP. Nota - el proyecto \"mcp-run-python\" est\u00e1 archivado y es poco probable que reciba una soluci\u00f3n."}], "id": "CVE-2026-25905", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.7, "source": "reefs@jfrog.com", "type": "Secondary"}]}, "published": "2026-02-09T09:16:34.030", "references": [{"source": "reefs@jfrog.com", "url": "https://research.jfrog.com/vulnerabilities/mcp-run-python-lack-of-isolation-mcp-takeover-jfsa-2026-001653030/"}], "sourceIdentifier": "reefs@jfrog.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-653"}], "source": "reefs@jfrog.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "product": "mcp-run-python", "vendor": "mcp-run-python"}], "analysis": {"en": {"generated_at": "2026-04-17T21:30:05.383983+00:00", "value": {"mitigation_remediation": ["Audit current deployments for the use of runPython or runPythonAsync endpoints and document their configuration", "If any services use the mcp\u2011run\u2011python component, remove or disable the endpoints to prevent arbitrary code execution", "Implement additional isolation for any remaining Python execution sandbox, such as limiting access to Pyodide APIs or restricting the environment to non\u2011privileged contexts", "Consider migrating to a newer version of the MCP server that no longer exposes runPython functionality or that implements proper sandboxing"], "summary": {"action": "Assess Impact", "impact": "MCP server takeover"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the mcp\u2011run\u2011python component of JFrog's MCP server. The project is archived and no new releases are expected, but any deployment that still uses runPython or runPythonAsync remains affected.", "description_and_impact": "The flaw lies in the runPython and runPythonAsync functions, which execute Python code that is not isolated from the surrounding JavaScript. Because the Pyodide APIs are accessible, injected Python can alter the JavaScript environment of the MCP server. This weakness, classified as CWE\u2011653, could allow an attacker to hijack the MCP server, enabling malicious activities such as tool shadowing or other unauthorized control within the server process.", "risk_and_exploitability": "The CVSS score is 5.8, indicating a medium severity impact. The EPSS score is below 1%, implying a very low probability of observed exploitation, and the issue is not listed in the CISA KEV catalog. The likely attack vector is an adversary able to supply arbitrary Python code to runPython or runPythonAsync; no additional prerequisites beyond code execution are mentioned, so the exploitation path is fairly straightforward if the endpoint is exposed. The combination of medium severity and low exploitation probability suggests that immediate updates are not mandatory, but the control loss warrants careful assessment."}}}}, "created": "2026-02-10T16:26:56.630581+00:00", "updated": "2026-04-17T21:30:28.396678+00:00", "vendors": ["mcp-run-python", "mcp-run-python$PRODUCT$mcp-run-python"]}