← CVE Watch
CVE-2026-27825criticalCVSS 9.8

MCP SDK Remote Code Execution via Malformed Tool Response

A deserialization vulnerability in the MCP SDK tool response parser allows a malicious MCP server to execute arbitrary code on the client host.

mcpremote-code-executiondeserialization

What happened

A critical deserialization bug was found in the MCP SDK's tool response parser — the code path that processes structured outputs returned by MCP servers to LLM clients. An attacker who controls or compromises an MCP server can craft a malformed response payload that triggers arbitrary code execution on the machine running the client.

This is CVSS 9.8 for a reason: the attack vector is fully remote, no authentication is required from the attacker's side, and the impact is complete compromise of the client host.

How it works

The SDK uses JSON.parse followed by a schema validation step, but a gadget chain in the schema validator allows prototype pollution to escalate to code execution on Node.js runtimes before v18.4. The malformed payload targets the __proto__ property on nested response objects, overwriting internal Node.js VM globals. On vulnerable runtimes, a crafted constructor.prototype.NODE_OPTIONS value triggers code execution at the next eval boundary within the MCP client process.

The attack requires:

  1. A client connecting to an attacker-controlled MCP server (or a legitimate server that has been hijacked)
  2. The client issuing at least one tool call
  3. The client running Node.js < 18.4 or Python SDK < 2.1.0

Who is affected

Any agent using the MCP SDK to connect to external tool servers is potentially affected. This includes:

  • Claude Desktop users with third-party MCP servers configured
  • Custom agent pipelines using the official MCP TypeScript SDK ≤ 1.2.3
  • Python SDK users on versions < 2.1.0

MCP servers themselves are not affected — this is a client-side vulnerability only.

Mitigation

  1. Upgrade immediately — MCP SDK 1.2.4 (TypeScript) and 2.1.0 (Python) contain the fix. The patch sanitizes prototype properties before schema validation.
  2. Audit your MCP server list — Remove any servers you don't control or haven't vetted.
  3. Node.js runtime — Ensure your runtime is Node.js ≥ 18.4 as a secondary defense. The gadget chain does not execute on patched runtimes.
  4. Network isolation — MCP clients should not connect to arbitrary servers from the public internet without explicit allow-listing.
← CVE WatchIntel →