CVE-2025-63603 identifies a command injection vulnerability in the MCP Data Science Server (version 0.1.6), specifically in the safe_eval() function located in src/mcp_server_ds/server.py at line 108. This function attempts to execute user-supplied Python scripts using the exec() function. However, it fails to explicitly restrict the __builtins__ dictionary in the globals parameter passed to exec(). By default, Python provides full access to all built-in functions, including dangerous ones like __import__, exec, eval, and open, if __builtins__ is not overridden. This oversight allows an attacker to craft malicious scripts that execute arbitrary Python code with the same privileges as the server process, effectively leading to full system compromise. The vulnerability can be exploited remotely without any authentication or special privileges by submitting malicious scripts to the run_script tool exposed by the server. This means any unauthenticated user can gain control over the server, potentially leading to data exfiltration, destruction, or lateral movement within the network. No official patch or mitigation is currently listed, and no CVSS score has been assigned yet. The vulnerability is critical due to the combination of unauthenticated remote code execution, full system privileges, and the widespread use of Python in data science environments.

For European organizations, the impact of this vulnerability is severe. Organizations using the MCP Data Science Server for AI, machine learning, or data exploration tasks could face complete system takeover by attackers. This could lead to unauthorized access to sensitive data, intellectual property theft, disruption of critical data science workflows, and potential use of compromised systems as pivot points for broader network attacks. The lack of authentication requirement significantly increases the risk, as attackers can exploit the vulnerability remotely without prior access. Given the increasing reliance on AI and data science platforms in sectors such as finance, healthcare, manufacturing, and research across Europe, the potential for operational disruption and data breaches is high. Additionally, compromised systems could be used to launch attacks on other connected infrastructure, amplifying the threat. The reputational damage and regulatory consequences under GDPR for data breaches could also be substantial.

To mitigate this vulnerability, European organizations should immediately restrict or disable the use of the run_script tool until a secure patch is available. Developers and administrators must ensure that any use of exec() or similar functions explicitly restricts the __builtins__ dictionary to a safe subset or uses sandboxing techniques to isolate script execution. Employing Python sandbox libraries or containerization to limit script capabilities is recommended. Monitoring and logging all script submissions and executions can help detect exploitation attempts early. Network-level controls should restrict access to the MCP Data Science Server to trusted users and networks only. Organizations should also conduct code reviews and penetration testing focused on script execution features. Once a vendor patch is released, it should be applied promptly. Additionally, implementing application-layer firewalls or runtime application self-protection (RASP) solutions can help detect and block malicious payloads targeting this vulnerability.