CVE-2026-25904 identifies a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918 in the Pydantic-AI MCP Run Python tool. The root cause is an overly permissive configuration of the Deno sandbox environment, which is intended to securely execute Python code. Instead of properly isolating the execution environment, the sandbox allows the Python code to access the localhost interface of the host machine. This access enables an attacker to craft requests from the vulnerable environment to internal services that are otherwise inaccessible externally, potentially bypassing firewall rules and network segmentation. SSRF vulnerabilities can be leveraged to perform internal network reconnaissance, access sensitive metadata services, or exploit other internal vulnerabilities. The project is archived, meaning no patches or fixes are expected, leaving users exposed unless they take manual mitigation steps. The CVSS vector indicates the attack is network-based (AV:N), requires high attack complexity (AC:H), no privileges (PR:N), user interaction (UI:R), and impacts confidentiality, integrity, and availability to a limited extent (C:L/I:L/A:L). No known exploits have been reported in the wild, but the risk remains due to the lack of patch availability. The vulnerability affects version 0 of the tool, presumably the only released version. Given the nature of SSRF and the sandbox environment, exploitation requires tricking a user into executing malicious code within the tool, which then performs SSRF attacks internally.

For European organizations, this vulnerability poses a moderate risk primarily to internal network security and data confidentiality. Organizations using the Pydantic-AI MCP Run Python tool or similar sandboxed Python execution environments with misconfigurations could see attackers leveraging SSRF to access internal services, including databases, metadata endpoints, or administrative interfaces not exposed externally. This could lead to unauthorized data disclosure, lateral movement within the network, or disruption of internal services. Sectors such as finance, healthcare, and critical infrastructure that rely on internal APIs or metadata services are particularly at risk. The archived status of the project means no official patches will be released, increasing the burden on organizations to implement compensating controls. The requirement for user interaction limits the attack vector to scenarios where an attacker can induce execution of malicious code, such as through social engineering or supply chain compromises. However, once exploited, the scope of impact can extend beyond the initial host due to the SSRF capability. The medium CVSS score reflects this moderate but non-trivial risk.

1. Immediately discontinue use of the Pydantic-AI MCP Run Python tool, especially in production or sensitive environments, due to its archived status and lack of patches. 2. If continued use is necessary, isolate the execution environment by running the tool in a strictly controlled network segment with no access to internal services or localhost interfaces. 3. Implement strict network egress and ingress filtering to prevent the sandboxed environment from making unauthorized requests to internal IP ranges, particularly 127.0.0.1 and other localhost addresses. 4. Employ runtime monitoring and anomaly detection to identify unusual outbound requests originating from the sandbox environment. 5. Educate users and developers about the risks of executing untrusted code within this tool, emphasizing the need to avoid user interaction that could trigger malicious payloads. 6. Consider migrating to actively maintained and securely configured alternatives that provide sandboxed Python execution without excessive network permissions. 7. Conduct regular internal penetration testing and vulnerability assessments focusing on SSRF and sandbox escape vectors. 8. Apply network segmentation best practices to limit the impact of any SSRF exploitation by restricting access to sensitive internal services.