CVE-2025-63603
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-18

Last updated on: 2026-01-02

Assigner: MITRE

Description
A command injection vulnerability exists in the MCP Data Science Server's (reading-plus-ai/mcp-server-data-exploration) 0.1.6 in the safe_eval() function (src/mcp_server_ds/server.py:108). The function uses Python's exec() to execute user-supplied scripts but fails to restrict the __builtins__ dictionary in the globals parameter. When __builtins__ is not explicitly defined, Python automatically provides access to all built-in functions including __import__, exec, eval, and open. This allows an attacker to execute arbitrary Python code with full system privileges, leading to complete system compromise. The vulnerability can be exploited by submitting a malicious script to the run_script tool, requiring no authentication or special privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-18
Last Modified
2026-01-02
Generated
2026-06-16
AI Q&A
2025-11-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-63603
EUVD
EUVD-2025-198042
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mcp_server_for_data_exploration_project mcp_server_for_data_exploration 0.1.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a command injection flaw in the MCP Data Science Server version 0.1.6, specifically in the safe_eval() function. The function uses Python's exec() to run user-supplied scripts but does not properly restrict the __builtins__ dictionary, which means an attacker can execute arbitrary Python code with full system privileges by submitting a malicious script. This can be done without authentication or special privileges.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary code on the affected system with full system privileges, potentially leading to complete system compromise. This means the attacker could take control of the server, access sensitive data, modify or delete files, and disrupt services.

Mitigation Strategies

To mitigate this vulnerability, avoid using the vulnerable version 0.1.6 of MCP Data Science Server. If possible, update to a patched version where the safe_eval() function restricts the __builtins__ dictionary properly. As an immediate step, restrict or disable the run_script tool or any functionality that executes user-supplied scripts without authentication. Additionally, review and modify the safe_eval() function to explicitly define a restricted __builtins__ dictionary in the globals parameter to prevent arbitrary code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63603. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart