A critical vulnerability has been discovered in the MCP Data Science Server that allows attackers to execute arbitrary Python code with system privileges through malicious scripts sent to the run_script tool - no authentication required. This command injection flaw, tracked as CVE-2025-63603, exposes a fundamental security weakness in how the server handles user input through unsafe exec() usage, putting AI agent deployments at significant risk.
How the Attack Works
The vulnerability stems from the MCP Data Science Server's implementation of the run_script tool, which directly passes user-supplied input to Python's exec() function without proper sanitization or validation. When an attacker sends a malicious script to this tool, the server executes it with the same privileges as the MCP server process itself.
The attack vector is straightforward: an attacker crafts a Python script containing system commands or malicious code and submits it through the run_script tool. Since there's no authentication required, anyone with network access to the MCP server can exploit this vulnerability. The exec() function evaluates the input as Python code, allowing attackers to import os modules, execute shell commands, access file systems, or even establish reverse shells.
This is particularly dangerous because MCP servers often run with elevated privileges to access various data sources and tools. An attacker could leverage this to pivot through the network, exfiltrate sensitive data, or compromise other connected systems. The lack of input validation means even simple payloads like __import__('os').system('whoami') can reveal system information and confirm exploitation.
Real-World Implications for AI Agent Deployments
For organizations deploying AI agents with MCP integration, this vulnerability represents a critical security gap that could compromise entire infrastructure stacks. AI agents typically require broad access to data sources, APIs, and computational resources - exactly the kind of access an attacker would want.
Consider a scenario where an AI agent uses the MCP Data Science Server to process customer data. An attacker exploiting CVE-2025-63603 could inject code to dump database credentials, access private customer information, or modify AI training data to introduce bias or backdoors. The server-side nature of the vulnerability means traditional client-side security measures provide no protection.
The timing of this discovery is particularly concerning as organizations increasingly deploy AI agents in production environments. Many teams may have implemented MCP servers without considering the security implications of reference implementations. The fact that these servers are designed as educational examples, not production-ready solutions, highlights the critical gap between proof-of-concept and production deployment practices.
Immediate Defensive Measures
Organizations using the MCP Data Science Server should take immediate action to mitigate this vulnerability. The most critical step is to implement network-level access controls to restrict who can communicate with MCP servers. This includes firewall rules, VPN requirements, and network segmentation to limit exposure.
# Example: Implementing input validation wrapper
def validate_and_execute_script(script_content):
# Block dangerous imports and system calls
dangerous_patterns = [
'import os', 'import subprocess', 'import sys',
'__import__', 'eval(', 'exec(', 'compile(',
'open(', 'file(', 'input('
]
for pattern in dangerous_patterns:
if pattern in script_content:
raise SecurityError(f"Dangerous pattern detected: {pattern}")
# Use restricted execution environment
safe_globals = {
"__builtins__": {
"print": print,
"len": len,
"range": range,
# Add only necessary safe functions
}
}
# Execute in restricted environment
exec(script_content, safe_globals, {})
Additional immediate measures include auditing all existing MCP server configurations, implementing authentication mechanisms even for internal services, and monitoring for suspicious script execution patterns. Organizations should also review the security policy from the MCP servers repository, which explicitly states these are reference implementations not intended for production use.
Long-Term Security Architecture
Building secure MCP-based systems requires architectural changes beyond simple patches. Organizations should implement OAuth 2.1 authentication for all MCP servers, following the patterns established in the MCP Python SDK. This includes proper token validation, scope-based authorization, and regular credential rotation.
# Example: OAuth 2.1 authentication setup
from mcp.server.auth.provider import TokenVerifier
from mcp.server.auth.settings import AuthSettings
class SecureTokenVerifier(TokenVerifier):
async def verify_token(self, token: str) -> AccessToken:
# Validate token against your identity provider
# Check required scopes for script execution
# Implement rate limiting and audit logging
pass
auth_settings = AuthSettings(
issuer="https://your-idp.example.com",
audience="mcp-server",
required_scopes=["script:execute", "data:read"]
)
The security architecture should also include script sandboxing using containers or virtual machines, comprehensive audit logging of all script executions, and automated scanning for vulnerabilities in MCP server implementations. Consider implementing a secure script repository where all scripts are reviewed and approved before execution, similar to how code review processes work for application development.
Key Takeaways and Next Steps
CVE-2025-63603 serves as a wake-up call for the AI agent community about the security implications of rapid MCP adoption. The vulnerability's critical nature and ease of exploitation demand immediate attention from anyone running MCP servers in production environments.
Key actions for AI agent operators: 1. Immediately audit your MCP server deployments and implement network-level access controls 2. Replace unsafe exec() implementations with validated, sandboxed execution environments 3. Implement proper authentication and authorization, even for internal services 4. Regularly review and update MCP server implementations as security patches become available 5. Follow the MCP security policy guidance and avoid using reference implementations in production
The original vulnerability disclosure can be found at https://nvd.nist.gov/vuln/detail/CVE-2025-63603. Stay informed about security updates from the Model Context Protocol project and consider contributing security improvements back to the community. Security is a shared responsibility, especially as we build the infrastructure for the next generation of AI agents.