CVE-2025-63604 Overview
CVE-2025-63604 is a code injection vulnerability in baryhuang/mcp-server-aws-resources-python version 0.1.0. The flaw resides in the execute_query method, which passes user-supplied input directly to Python's exec() function. The execution namespace also exposes dangerous built-ins including __import__, getattr, and hasattr. Attackers can craft malicious queries to execute arbitrary Python code on the server without authentication. Successful exploitation enables theft of AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), environment variable disclosure, file system access, and potential system compromise. The vulnerability is tracked as [CWE-77] Command Injection.
Critical Impact
Unauthenticated remote attackers can execute arbitrary Python code and exfiltrate AWS credentials from the Model Context Protocol (MCP) server environment.
Affected Products
- baryhuang/mcp-server-aws-resources-python version 0.1.0
- MCP servers exposing the execute_query endpoint
- Environments storing AWS credentials as environment variables on the affected server
Discovery Timeline
- 2025-11-18 - CVE-2025-63604 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-63604
Vulnerability Analysis
The mcp-server-aws-resources-python project provides a Model Context Protocol (MCP) server that allows AI clients to query AWS resources through Python expressions. The execute_query method is designed to evaluate user-supplied Python code against a boto3 session. Instead of parsing and validating queries against an allowlist, the server passes the input string directly to exec().
The execution namespace exposes Python built-ins such as __import__, getattr, and hasattr. These primitives are sufficient for an attacker to reach any module in the Python standard library, including os, subprocess, and sys. From there, an attacker can read os.environ, spawn processes, or open arbitrary files on the host.
Because the MCP server runs with the AWS credentials it uses to service queries, credential theft is the immediate impact. Attackers can also pivot into connected AWS accounts using the stolen access keys.
Root Cause
The root cause is insufficient input validation combined with the direct use of exec() on untrusted input. The server treats query strings as trusted Python source code. It does not sandbox execution, restrict built-ins, or apply an abstract syntax tree (AST) allowlist. Exposing __import__ in the namespace defeats any attempt at restricting module access.
Attack Vector
Exploitation requires network access to the MCP server endpoint and no authentication. An attacker submits a query containing arbitrary Python statements. The execute_query method invokes exec() on the payload, and the attacker's code runs with the server process's privileges. A typical payload uses __import__('os').environ to read AWS credentials, then transmits them to an attacker-controlled endpoint. See the GitHub Issue Discussion for technical context on the exposed sinks.
Detection Methods for CVE-2025-63604
Indicators of Compromise
- Query strings containing __import__, getattr, hasattr, os.environ, subprocess, or open( submitted to the MCP server
- Outbound network connections from the MCP server host to unfamiliar external endpoints shortly after query execution
- Access to AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY environment variables from unexpected processes
- CloudTrail entries showing API calls from IP addresses that do not match the MCP server's egress address
Detection Strategies
- Log all inputs to the execute_query method and alert on tokens associated with dynamic imports or process spawning
- Correlate MCP server process activity with AWS CloudTrail credential usage to identify credential theft
- Monitor for child processes spawned by the Python interpreter running the MCP server
- Deploy runtime application self-protection (RASP) rules that flag calls to exec() or eval() on request-derived strings
Monitoring Recommendations
- Enable AWS GuardDuty findings for UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration and anomalous API usage
- Forward MCP server logs to a centralized SIEM and build detections on the IOCs above
- Track file access patterns on the MCP server host, particularly reads of /proc/self/environ and dotfiles containing credentials
How to Mitigate CVE-2025-63604
Immediate Actions Required
- Take the affected MCP server offline until it can be patched or replaced
- Rotate all AWS credentials that were accessible from the server environment, including IAM user keys and role session tokens
- Review AWS CloudTrail logs for suspicious API activity originating from the exposed credentials
- Restrict IAM permissions on the credentials used by the MCP server to the minimum required scope
Patch Information
No vendor patch is referenced in the CVE data at the time of publication. Consult the GitHub Issue Discussion for remediation status. Users should track the upstream repository for a fixed release beyond 0.1.0.
Workarounds
- Replace exec() with an AST-based allowlist parser that only permits boto3 client calls
- Remove __import__, getattr, and hasattr from the execution namespace passed to exec()
- Run the MCP server inside a container with no AWS credentials in environment variables; use IAM roles with short-lived tokens instead
- Place the server behind an authenticated reverse proxy and restrict network access to trusted clients
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

