CVE-2026-25904 Overview
CVE-2026-25904 is a Server-Side Request Forgery (SSRF) vulnerability in the Pydantic-AI MCP Run Python tool. The vulnerability exists because the Deno sandbox is configured with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host system. This misconfiguration enables attackers to perform SSRF attacks, potentially accessing internal services and sensitive resources that should not be reachable from the sandboxed environment.
It is important to note that the mcp-run-python project has been archived and is unlikely to receive a security patch to address this vulnerability.
Critical Impact
Attackers can exploit the overly permissive Deno sandbox configuration to access localhost services on the host machine, potentially compromising internal APIs, metadata services, and other sensitive endpoints that rely on network-level isolation for security.
Affected Products
- Pydantic-AI mcp-run-python tool
- Systems running the MCP Run Python tool with default Deno sandbox configuration
- Applications integrating the archived mcp-run-python project
Discovery Timeline
- 2026-02-09 - CVE-2026-25904 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25904
Vulnerability Analysis
This vulnerability is classified under CWE-918 (Server-Side Request Forgery). The core issue stems from improper sandbox isolation in the Pydantic-AI MCP Run Python tool. The Deno runtime, which is designed to provide a secure sandbox environment for executing untrusted code, has been configured with permissions that allow network access to the localhost interface.
When Python code executes within this supposedly sandboxed environment, it can make HTTP requests to 127.0.0.1 or localhost endpoints on the host machine. This breaks the fundamental security assumption that sandboxed code cannot interact with local services. The vulnerability requires network access and user interaction to exploit, with some complexity involved in crafting the attack, but successful exploitation can impact confidentiality, integrity, and availability of the target system.
Root Cause
The root cause of CVE-2026-25904 is an overly permissive network configuration in the Deno sandbox initialization. Instead of restricting all localhost access or implementing a strict allowlist of permitted network destinations, the sandbox configuration grants broad network permissions that include access to the host's loopback interface. This design flaw allows code running within the sandbox to bypass intended network isolation boundaries.
Attack Vector
The attack vector for this vulnerability is network-based. An attacker can craft malicious Python code that, when executed within the MCP Run Python tool's Deno sandbox, makes requests to localhost services. Potential attack scenarios include:
Cloud Metadata Service Access: In cloud environments (AWS, GCP, Azure), attackers could access instance metadata services at well-known localhost addresses to steal credentials and sensitive configuration data.
Internal API Exploitation: Requests to internal services listening on localhost that may not have authentication requirements due to the assumption of network-level isolation.
Port Scanning and Service Discovery: Enumerating services running on the host machine to identify further attack opportunities.
Database and Cache Access: Connecting to local database servers (Redis, MongoDB, PostgreSQL) that may be bound to localhost without authentication.
The vulnerability is particularly concerning because sandboxing is often deployed specifically to mitigate such risks when executing untrusted code.
Detection Methods for CVE-2026-25904
Indicators of Compromise
- Unexpected outbound HTTP/HTTPS requests from Python processes to localhost or 127.0.0.1 addresses
- Anomalous access patterns to cloud metadata endpoints (e.g., 169.254.169.254)
- Unusual process behavior from applications using the mcp-run-python tool
- Log entries showing requests to internal services that should not be accessible from sandboxed environments
Detection Strategies
- Monitor network traffic from processes associated with Deno and Python sandbox execution for localhost connections
- Implement application-layer firewalls to detect and block SSRF patterns in requests originating from sandboxed environments
- Deploy endpoint detection rules that alert on sandbox escape attempts or unexpected network activity from isolated processes
- Review application logs for evidence of requests to sensitive internal endpoints from the MCP Run Python tool
Monitoring Recommendations
- Configure network monitoring to alert on any localhost or loopback traffic originating from sandbox processes
- Implement egress filtering at the host level to restrict network access from sandboxed applications
- Enable detailed logging for the Deno runtime and Python execution environments to capture all network requests
- Monitor for access attempts to cloud provider metadata services from unexpected sources
How to Mitigate CVE-2026-25904
Immediate Actions Required
- Discontinue use of the mcp-run-python tool as the project is archived and will not receive security updates
- Audit systems for any deployments of the affected tool and assess exposure
- Implement network-level controls to block sandbox processes from accessing localhost services
- Migrate to actively maintained alternatives with proper sandbox isolation
Patch Information
The mcp-run-python project has been archived and is unlikely to receive a fix for this vulnerability. Organizations using this tool should prioritize migration to alternative solutions. For more information about this vulnerability, refer to the JFrog Vulnerability Report.
Workarounds
- Deploy network policies or firewall rules that explicitly block sandbox processes from accessing localhost and internal network ranges
- Use container isolation or network namespaces to prevent sandbox escape to the host network
- Implement a reverse proxy or network gateway that filters SSRF attempts before they reach sensitive services
- Consider running the tool in a fully isolated virtual machine with no access to sensitive host services
# Example: Restrict localhost access using iptables for a specific user running the sandbox
# Create a dedicated user for sandbox execution
useradd -r -s /bin/false sandbox_user
# Block localhost access for the sandbox user
iptables -A OUTPUT -m owner --uid-owner sandbox_user -d 127.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner sandbox_user -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
