CVE-2026-25904 PUBLISHED

Overly permissive Deno configuration in mcp-run-python leads to SSRF

Assigner: JFROG
Reserved: 08.02.2026 Published: 09.02.2026 Updated: 09.02.2026

The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host to perform SSRF attacks. Note - the "mcp-run-python" project is archived and unlikely to receive a fix.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
CVSS Score: 5.8

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Package Collection	https://pypi.org/project/pip
Package Name	mcp-run-python
Versions	Version 0 is affected

References

https://research.jfrog.com/vulnerabilities/mcp-run-python-deno-ssrf-jfsa-2026-001653029/

Problem Types

CWE-918 Server-Side Request Forgery (SSRF) CWE