MCP Run Python has a Sandbox Escape & Server Takeover Vulnerability

Description

Impact

Critical Sandbox Escape & Server Takeover:
A critical security vulnerability exists in mcp-run-python due to a lack of isolation between the Python runtime (Pyodide) and the host JavaScript environment.

The runPython and runPythonAsync functions execute Python code using Pyodide without restricting access to the JavaScript bridge. This allows any executed Python code—whether from a user or an AI model—to access the js module in Pyodide. Through this bridge, the Python code can modify the global JavaScript environment, interact with the Node.js process, and alter the behavior of the MCP server.

Specific Attack Vector: MCP Tool Shadowing
Because the Python code can modify the JS runtime, an attacker can dynamically overwrite or "shadow" existing MCP tools registered on the server. For example, an attacker could replace a secure file-reading tool with a malicious version that exfiltrates data to an external server, all while the MCP server appears to be functioning normally.

Patches

No Patch Available:
The mcp-run-python project is currently archived and maintainers have indicated it is unlikely to receive a fix.

Recommendation:
Users are strongly advised to immediately stop using this package.
If functionality is required, users must migrate to a maintained alternative that implements proper sandboxing (e.g., running Python in a Docker container or a restricted WASM environment with the JS bridge disabled).

Workarounds

There are no configuration-based workarounds. Securing the environment requires modifying the source code to disable the Pyodide-to-JS bridge or moving the execution environment to a fully isolated sandbox (e.g., a separate container).

Resources

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2026-02-09 09:30:22 UTC
Updated
2026-02-12 03:09:38 UTC
GitHub reviewed
2026-02-12 03:09:38 UTC
NVD published
2026-02-09

EPSS Score

Score Percentile
0.01% 2.22%

CVSS Scores

Base score Version Severity Vector
5.8 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.

Identifiers

CWEs

CWE id Name
CWE-653 Improper Isolation or Compartmentalization

Credits

  • saivarun3407 (analyst)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip mcp-run-python <= 0.0.22

References

cvelogic Threat Intelligence