CVE-2026-25905

Published: Feb 9, 2026Modified: Feb 9, 2026

5.8

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

Exploitability: 1.6 / Impact: 3.7

Source: reefs@jfrog.com (Secondary)

Description

The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Note - the "mcp-run-python" project is archived and unlikely to receive a fix.

Related CWEs

CWE-653

Improper Isolation or Compartmentalization

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

References (1)

https://research.jfrog.com/vulnerabilities/mcp-run-python-lack-of-isolation-mcp-takeover-jfsa-2026-001653030/

Source: reefs@jfrog.com

Timeline (4)

2/9/2026

4 changes

New CVE Received - Reference

09:16 AM

- -
+ https://research.jfrog.com/vulnerabilities/mcp-run-python-lack-of-isolation-mcp-takeover-jfsa-2026-001653030/

New CVE Received - CWE

09:16 AM

- -
+ CWE-653

New CVE Received - CVSS V3.1

09:16 AM

- -
+ AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

New CVE Received - Description

09:16 AM

- -
+ The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Note - the "mcp-run-python" project is archived and unlikely to receive a fix.