MCP Data Science Server Command Injection Vulnerability Allowing Arbitrary Code Execution

A command injection vulnerability has been identified in the MCP Data Science Server, specifically in version 0.1.6. The issue arises in the safe_eval() function, where user-supplied scripts are executed using Python's exec() function. The vulnerability is due to the absence of restrictions on the __builtins__ dictionary, which, when left undefined, grants access to all built-in functions, including __import__, exec, eval, and open. This oversight allows attackers to execute arbitrary Python code with full system privileges, potentially leading to a complete system compromise. Exploitation can be achieved by submitting a malicious script through the run_script tool, without the need for authentication or special privileges.

Impact

Successful exploitation of this vulnerability allows for arbitrary code execution with full system privileges, leading to complete system compromise.

Reproduction

The vulnerability can be reproduced by using the run_script tool to submit a script that exploits the unsafe exec() usage in the safe_eval() function. The submitted script can access the __builtins__ dictionary and execute arbitrary commands or code with full system privileges.

Remediation

To address this vulnerability, the safe_eval() function should be modified to include a restricted __builtins__ dictionary in the globals parameter, explicitly defining only the necessary functions. Additionally, input validation should be implemented to ensure that user-supplied scripts do not contain malicious payloads.