CVE-2026-25905: MCP Run Python has a Sandbox Escape & Server Takeover Vulnerability

Critical Sandbox Escape & Server Takeover: A critical security vulnerability exists in mcp-run-python due to a lack of isolation between the Python runtime (Pyodide) and the host JavaScript environment.

The runPython and runPythonAsync functions execute Python code using Pyodide without restricting access to the JavaScript bridge. This allows any executed Python code—whether from a user or an AI model—to access the js module in Pyodide. Through this bridge, the Python code can modify the global JavaScript environment, interact with the Node.js process, and alter the behavior of the MCP server.

Specific Attack Vector: MCP Tool Shadowing Because the Python code can modify the JS runtime, an attacker can dynamically overwrite or “shadow” existing MCP tools registered on the server. For example, an attacker could replace a secure file-reading tool with a malicious version that exfiltrates data to an external server, all while the MCP server appears to be functioning normally.