CVE-2026-25905 Overview
CVE-2026-25905 is a security vulnerability affecting the mcp-run-python project where Python code executed via runPython or runPythonAsync functions is not properly isolated from the JavaScript environment. This lack of isolation allows any Python code to leverage Pyodide APIs to modify the JavaScript environment, potentially enabling attackers to hijack the MCP (Model Context Protocol) server for malicious purposes, including MCP tool shadowing attacks.
Critical Impact
Attackers can exploit the lack of sandbox isolation to hijack the MCP server, enabling malicious activities such as MCP tool shadowing which could compromise the integrity of AI model interactions and downstream systems.
Affected Products
- mcp-run-python (all versions - project is archived)
- Applications using Pyodide with mcp-run-python integration
- MCP servers utilizing the vulnerable runPython/runPythonAsync functions
Discovery Timeline
- 2026-02-09 - CVE CVE-2026-25905 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25905
Vulnerability Analysis
This vulnerability stems from improper isolation between Python and JavaScript execution contexts within the mcp-run-python project. The runPython and runPythonAsync functions execute Python code using Pyodide, a Python runtime compiled to WebAssembly. However, the implementation fails to establish proper security boundaries between the Python execution environment and the surrounding JavaScript context.
Without adequate isolation, Python code can access and manipulate Pyodide's internal APIs, which provide direct bridges to the JavaScript environment. This allows malicious Python code to escape its intended sandbox, modify JavaScript objects, inject malicious code into the MCP server's execution flow, and perform MCP tool shadowing attacks where legitimate tools are replaced or intercepted with attacker-controlled implementations.
The vulnerability is classified under CWE-653 (Improper Isolation or Compartmentalization), reflecting the fundamental architectural flaw in the security boundary implementation.
Root Cause
The root cause is the absence of proper compartmentalization between the Python runtime and the JavaScript environment. When Pyodide executes Python code, it provides APIs such as js module access and pyodide.globals that allow bidirectional communication between Python and JavaScript. The mcp-run-python implementation does not restrict or sanitize access to these bridge APIs, enabling Python code to:
- Access JavaScript global objects via Pyodide's js module
- Modify MCP server state and registered tools
- Intercept or replace legitimate MCP tool handlers
- Execute arbitrary JavaScript code through the bridge APIs
Attack Vector
The attack requires network access with user interaction to execute malicious Python code through the runPython or runPythonAsync functions. An attacker would need to inject or provide malicious Python code that gets executed by the vulnerable functions. Once executed, the Python code can leverage Pyodide APIs to escape isolation and manipulate the MCP server environment.
The attack scenario involves the malicious Python code accessing the Pyodide bridge to JavaScript, locating MCP server objects and tool registrations, and replacing legitimate tool handlers with malicious implementations (tool shadowing). Once shadowed, the attacker can intercept sensitive data, modify model interactions, or perform unauthorized actions through the compromised MCP tools.
For detailed technical analysis of the exploitation mechanism, refer to the JFrog Vulnerability Analysis.
Detection Methods for CVE-2026-25905
Indicators of Compromise
- Unexpected modifications to MCP server tool registrations or handlers
- Python code attempting to access Pyodide's js module or pyodide.globals
- Anomalous JavaScript object modifications during Python code execution
- Suspicious MCP tool behavior inconsistent with expected functionality
Detection Strategies
- Monitor Python code executed via runPython/runPythonAsync for attempts to access Pyodide bridge APIs
- Implement logging for MCP tool registration changes and handler modifications
- Deploy runtime integrity checks for MCP server tool definitions
- Analyze Python code inputs for patterns indicative of isolation escape attempts
Monitoring Recommendations
- Enable verbose logging for Pyodide API usage within the application
- Implement real-time monitoring of MCP server state changes
- Set up alerts for unexpected modifications to JavaScript global objects during Python execution
- Conduct regular audits of MCP tool handlers to detect shadowing
How to Mitigate CVE-2026-25905
Immediate Actions Required
- Discontinue use of mcp-run-python as the project is archived and will not receive security patches
- Migrate to alternative Python execution solutions that provide proper sandboxing
- Implement strict input validation for any Python code executed through Pyodide
- Review and audit existing deployments for signs of compromise
Patch Information
The mcp-run-python project is archived and is unlikely to receive a security fix. Organizations using this component should treat it as end-of-life and migrate to supported alternatives that implement proper isolation between Python and JavaScript execution environments.
Workarounds
- Restrict Python code execution to trusted, pre-approved scripts only
- Implement a custom wrapper that filters access to Pyodide bridge APIs before code execution
- Deploy network segmentation to limit the impact of MCP server compromise
- Consider using containerized or process-isolated Python execution environments as an alternative
# Recommended: Identify and remove mcp-run-python dependencies
npm ls mcp-run-python
# If found, remove the dependency
npm uninstall mcp-run-python
# Audit your package-lock.json for any transitive dependencies
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
