CVE-2026-25905 - Vulnerability Details

- Lack of isolation in mcp-run-python leads to MCP server takeover

Description

The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Note - the "mcp-run-python" project is archived and unlikely to receive a fix.

Published: 2026-02-09

Score: 5.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in the runPython and runPythonAsync functions, which execute Python code that is not isolated from the surrounding JavaScript. Because the Pyodide APIs are accessible, injected Python can alter the JavaScript environment of the MCP server. This weakness, classified as CWE‑653, could allow an attacker to hijack the MCP server, enabling malicious activities such as tool shadowing or other unauthorized control within the server process.

Affected Systems

The vulnerability exists in the mcp‑run‑python component of JFrog's MCP server. The project is archived and no new releases are expected, but any deployment that still uses runPython or runPythonAsync remains affected.

Risk and Exploitability

The CVSS score is 5.8, indicating a medium severity impact. The EPSS score is below 1%, implying a very low probability of observed exploitation, and the issue is not listed in the CISA KEV catalog. The likely attack vector is an adversary able to supply arbitrary Python code to runPython or runPythonAsync; no additional prerequisites beyond code execution are mentioned, so the exploitation path is fairly straightforward if the endpoint is exposed. The combination of medium severity and low exploitation probability suggests that immediate updates are not mandatory, but the control loss warrants careful assessment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

affected

Version	Status	Constraints
`0`	affected	—

No data.

Vendor Product Confidence Versions

Mcp-run-python

—

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Audit current deployments for the use of runPython or runPythonAsync endpoints and document their configuration
If any services use the mcp‑run‑python component, remove or disable the endpoints to prevent arbitrary code execution
Implement additional isolation for any remaining Python execution sandbox, such as limiting access to Pyodide APIs or restricting the environment to non‑privileged contexts
Consider migrating to a newer version of the MCP server that no longer exposes runPython functionality or that implements proper sandboxing

Generated by OpenCVE AI on April 17, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-pfv4-wmph-5gc6	MCP Run Python has a Sandbox Escape & Server Takeover Vulnerability

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://research.jfrog.com/vulnerabilities/mcp-run-python-lack-of-isolation-mcp-takeover-jfsa-2026-001653030/

History

Tue, 10 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mcp-run-python Mcp-run-python mcp-run-python
Vendors & Products		Mcp-run-python Mcp-run-python mcp-run-python

Mon, 09 Feb 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Note - the "mcp-run-python" project is archived and unlikely to receive a fix.
Title		Lack of isolation in mcp-run-python leads to MCP server takeover
Weaknesses		CWE-653
References		https://research.jfrog.com/vulnerabilities/mcp-run-python-lack-of-isolation-mcp-takeover-jfsa-2026-001653030/
Metrics		cvssV3_1 `{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

Mcp-run-python Mcp-run-python

MITRE

Status: PUBLISHED

Assigner: JFROG

Published: 2026-02-09T09:01:16.728Z

Updated: 2026-02-09T12:55:24.415Z

Reserved: 2026-02-08T11:19:42.865Z

Link: CVE-2026-25905

Vulnrichment

Updated: 2026-02-09T12:55:19.471Z

NVD

Status : Deferred

Published: 2026-02-09T09:16:34.030

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25905

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T21:30:28Z

Weaknesses

CWE-653

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object