CVE-2025-63603 identifies a command injection vulnerability in the MCP Data Science Server (reading-plus-ai/mcp-server-data-exploration) version 0.1.6. The vulnerability resides in the safe_eval() function located in src/mcp_server_ds/server.py at line 108, which uses Python's exec() function to execute user-supplied scripts. Critically, the function fails to restrict the __builtins__ dictionary in the globals parameter passed to exec(). When __builtins__ is not explicitly defined or restricted, Python automatically grants access to all built-in functions, including highly sensitive ones such as __import__, exec, eval, and open. This oversight enables an attacker to craft malicious scripts that execute arbitrary Python code with the same privileges as the MCP Data Science Server process, effectively leading to full system compromise. The vulnerability can be exploited remotely without any authentication or special privileges by submitting malicious scripts to the run_script tool exposed by the server. The CVSS 3.1 base score is 6.5, reflecting medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no public exploits are currently known, the ease of exploitation and potential impact on confidentiality and integrity make this a serious concern. The vulnerability is categorized under CWE-77 (Improper Neutralization of Special Elements used in a Command). No patches or fixes are currently linked, indicating the need for immediate attention from users of this software. Organizations relying on this server for data science operations should consider restricting script execution capabilities or isolating the server until a patch is available.

For European organizations, exploitation of CVE-2025-63603 could lead to complete system compromise of servers running MCP Data Science Server 0.1.6. Attackers could execute arbitrary code with full system privileges, potentially leading to unauthorized access to sensitive data, manipulation or destruction of data science models and datasets, and disruption of critical data processing workflows. This could result in loss of data integrity and confidentiality, impacting decision-making processes and regulatory compliance, especially under GDPR. The vulnerability's unauthenticated nature increases risk, as attackers do not need valid credentials or user interaction, enabling automated mass exploitation attempts. Compromised systems could also serve as footholds for lateral movement within enterprise networks, escalating the threat to broader IT infrastructure. The absence of known exploits in the wild currently reduces immediate risk, but the vulnerability's characteristics warrant proactive mitigation to prevent future attacks. Organizations in sectors relying heavily on data science and AI, such as finance, healthcare, and manufacturing, are particularly at risk due to the criticality of their data and models.

1. Immediate mitigation should include disabling or restricting access to the run_script tool or any functionality that allows execution of user-supplied scripts until a patch is available. 2. Implement strict input validation and sandboxing to limit the execution environment, explicitly defining or removing the __builtins__ dictionary in the globals parameter passed to exec() to prevent access to dangerous built-in functions. 3. Employ application-layer firewalls or web application firewalls (WAFs) to detect and block malicious script submissions targeting this vulnerability. 4. Monitor logs for unusual script execution attempts or anomalous behavior indicative of exploitation attempts. 5. Network segmentation should be used to isolate the MCP Data Science Server from critical systems to limit potential lateral movement. 6. Engage with the software vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 7. Conduct regular security assessments and code reviews of custom scripts or extensions running on the server to identify similar insecure coding practices. 8. Educate development and operations teams about the risks of using exec() with untrusted input and promote safer alternatives.