The isolation boundary between Python and JavaScript execution has been fundamentally compromised in a widely-used MCP server component. CVE-2026-25905 reveals a critical vulnerability in mcp-run-python where Python code executed through runPython or runPythonAsync can escape its sandbox and directly modify the JavaScript environment. This flaw enables sophisticated MCP tool shadowing attacks, and with the project now archived, no official fix is forthcoming.
How the Attack Works
The vulnerability stems from incomplete isolation between the Python runtime and the host JavaScript environment. When AI agents invoke Python tools through MCP servers, they expect code execution to remain contained within a sandboxed Python interpreter. However, CVE-2026-25905 demonstrates that malicious Python code can break out of this containment and manipulate the JavaScript execution context.
This escape mechanism creates a pathway for tool shadowing attacks. An attacker can inject Python code that modifies how subsequent tool calls are processed, effectively hijacking the MCP server's behavior. The attack chain works by first gaining code execution through legitimate tool invocation, then using Python-to-JS escape to inject malicious handlers that intercept future tool calls.
The implications extend beyond single-agent compromise. Since MCP servers often serve multiple agents or handle sensitive operations, one malicious Python execution can poison the entire server's trust boundary. This represents a fundamental breakdown of the security model that assumes language-specific isolation.
Real-World Impact on AI Agent Deployments
For production AI agent systems, this vulnerability creates several concrete risks. Agents relying on mcp-run-python for data processing, analysis, or automation tasks may unknowingly execute poisoned code that persists across sessions. The tool shadowing capability means attackers can maintain long-term persistence by modifying how legitimate tools respond to subsequent queries.
Consider a document analysis workflow where an agent processes user-uploaded files through Python-based extraction tools. A malicious PDF containing embedded Python code could exploit this vulnerability to modify the MCP server's JavaScript environment, then intercept and exfiltrate all future documents processed by that server instance.
The archived status of the project compounds the risk. Without active maintenance or security patches, organizations must implement their own defensive measures or migrate to alternative solutions. This creates a timeline pressure for security teams to assess exposure and deploy mitigations before exploitation becomes widespread.
Immediate Defensive Measures
Given the critical severity and lack of official patches, immediate action is required for any deployment using mcp-run-python:
- Audit all MCP server configurations to identify usage of vulnerable components
- Implement input validation for all Python code passed to
runPythonfunctions - Deploy network isolation to limit lateral movement if compromise occurs
- Monitor for anomalous tool behavior that might indicate shadowing attempts
For environments requiring continued operation, implement a validation wrapper that inspects Python code before execution:
import ast
import re
class PythonValidator:
"""Validates Python code before MCP execution"""
BANNED_PATTERNS = [
r'__import__\s*\(',
r'eval\s*\(',
r'exec\s*\(',
r'compile\s*\(',
r'ctypes\.',
r'subprocess\.',
r'os\.system',
r'open\s*\([^)]*["\']w',
]
def validate(self, code: str) -> bool:
# Check for dangerous patterns
for pattern in self.BANNED_PATTERNS:
if re.search(pattern, code, re.IGNORECASE):
return False
# Parse AST to check for import statements
try:
tree = ast.parse(code)
for node in ast.walk(tree):
if isinstance(node, (ast.Import, ast.ImportFrom)):
# Whitelist approved modules only
if not self._is_allowed_import(node):
return False
except SyntaxError:
return False
return True
def _is_allowed_import(self, node) -> bool:
allowed = {'math', 'json', 're', 'datetime', 'collections'}
if isinstance(node, ast.Import):
return all(alias.name in allowed for alias in node.names)
elif isinstance(node, ast.ImportFrom):
return node.module in allowed
return False
Long-Term Migration Strategy
The archived status of mcp-run-python necessitates a migration plan. Organizations should evaluate alternative Python execution environments that provide stronger isolation guarantees. Container-based approaches using restricted Docker containers or WASM-based Python runtimes offer more robust security boundaries.
When evaluating replacements, prioritize solutions with:
- Clear process isolation between execution environments
- Active security maintenance and response processes
- Capability to restrict network access and file system operations
- Audit logging for all code execution attempts
Conclusion
CVE-2026-25905 exposes a fundamental weakness in MCP server architecture that many AI agent deployments rely upon. The ability for Python code to escape isolation and modify JavaScript environments represents a critical trust boundary violation with no upstream fix available.
Security teams must act immediately to audit their MCP server configurations, implement validation measures, and plan migration away from vulnerable components. The tool shadowing capability this vulnerability enables could provide attackers with persistent access to AI agent operations, making proactive defense essential.