Critical Command Injection Vulnerability in MCP Data Science Server (CVE-2025-63603)

Overview

CVE-2025-63603 details a critical command injection vulnerability affecting the MCP Data Science Server (reading-plus-ai/mcp-server-data-exploration) version 0.1.6. This flaw resides in the safe_eval() function within the src/mcp_server_ds/server.py file. Due to improper sanitization and the use of Python’s exec() function without restricting access to built-in functions, an attacker can execute arbitrary code on the server. This vulnerability requires no authentication and can lead to complete system compromise.

Technical Details

The vulnerability stems from the safe_eval() function’s use of Python’s exec() without properly sandboxing the environment. Specifically, the globals parameter of exec() is not configured to restrict the __builtins__ dictionary. When __builtins__ is left undefined, Python automatically grants access to all built-in functions, including powerful functions like __import__, exec, eval, and open.

This unrestricted access allows an attacker to craft a malicious script that, when executed by the safe_eval() function, can perform arbitrary operations on the server, such as:

• Reading sensitive files
• Writing malicious files
• Executing system commands
• Establishing reverse shells

The run_script tool within the application allows users to submit scripts that are then processed by safe_eval(). Because no authentication is required to access this tool, any unauthenticated user can exploit this vulnerability.

Here’s a simplified snippet of the vulnerable code:

def safe_eval(script):
    # Vulnerable code: exec() used without restricting __builtins__
    exec(script)
    return locals()

CVSS Analysis

Due to the critical nature of this vulnerability and the lack of specified CVSS score, we estimate that it would receive a CVSS v3.x score in the range of 9.0-10.0 (Critical). This is based on the ease of exploitation (no authentication required), the complete system compromise potential, and the availability of the exploit to unauthenticated users.

Possible Impact

The impact of this vulnerability is severe. A successful exploit can result in:

• Complete compromise of the MCP Data Science Server.
• Data breaches, including sensitive user data and proprietary algorithms.
• Denial of service attacks.
• Malware infection and propagation.
• Lateral movement to other systems on the network.

Mitigation and Patch Steps

To mitigate this vulnerability, the following steps should be taken:

1. Upgrade to a patched version: The most effective solution is to upgrade to a patched version of the MCP Data Science Server that addresses the vulnerability. Check the official GitHub repository for updates.
2. Restrict __builtins__: If upgrading is not immediately possible, modify the safe_eval() function to restrict access to potentially dangerous built-in functions. This can be achieved by explicitly defining the globals parameter of exec() and setting __builtins__ to None or a whitelisted set of safe functions. Example:

   
   def safe_eval(script):
       safe_globals = {'__builtins__': None}
       exec(script, safe_globals)
       return locals()
   

3. Input validation: Implement strict input validation on the scripts submitted to the run_script tool. This can help prevent malicious code from being executed.
4. Network Segmentation: Isolate the MCP Data Science Server from other critical systems on the network to limit the potential impact of a successful attack.
5. Disable the run_script tool: If the run_script tool is not essential, consider disabling it until a patch is available.

References

• GitHub Issue #12 (CVE-2025-63603)