Server Implementation

Code injection (eval/exec)

CRITICALAIVSS 9.6CWE: CWE-94OWASP: LLM05Agentic: T02Rule: MCP-010

A tool handler passes model-supplied text into `eval`, `Function`, `exec`, or `compile`, letting the LLM (or whoever prompts it) execute arbitrary code in the server process.

What it is

Code injection is the stricter sibling of command injection: instead of running a shell, the application evaluates the attacker's input as code in the host language. In Python it looks like `eval(input_str)` or `exec(input_str)`; in JavaScript, `eval()` or `new Function(...)`. It is sometimes justified as a way to accept math expressions or template strings, but in practice there is always a safer alternative.

Why it matters for MCP

Tool authors sometimes add an `evaluate` or `transform` tool so the model can do "a little scripting." The model happily obliges and sends in whatever text makes the task easier — including code it was tricked into emitting by indirect prompt injection in a document it retrieved. The result is remote code execution triggered by a malicious wiki page.

Vulnerable example

example.py

1	@server.tool()
2	def evaluate(expression: str) -> str:
3	"""Evaluate a Python expression and return the result."""
4	return str(eval(expression))

Secure example

example.py

from asteval import Interpreter
_aeval = Interpreter(minimal=True, use_numpy=False)

@server.tool()
def evaluate(expression: str) -> str:
    """Evaluate a numeric expression (arithmetic only, no names or calls)."""
    if len(expression) > 256:
        raise ValueError("expression too long")
    result = _aeval(expression)
    if _aeval.error:
        raise ValueError("invalid expression")
    return str(result)

How MCPSafe detects this

We match calls to `eval`, `exec`, `Function`, `compile`, `vm.runInThisContext`, and the language equivalents, then check whether any tool-handler parameter flows into them. Taint analysis runs across imports and helper functions.

See the full threat catalog for every documented detection.

Framework alignment

OWASP LLM Top-10 (2025): LLM05 — Improper Output Handling
OWASP Agentic AI Top-10: T02 — Tool Misuse
AIVSS v0.5: 9.6 (CRITICAL)AIVSS:1.0/S:CRITICAL/AV:N/AU:M/BR:H/CD:I

Illustrative CVEs

CVEs of the same CWE class. Not MCP-specific, but exemplify the failure mode MCPSafe detects.

CVE-2022-29078 — EJS template engine eval — RCE via eval'd input

Scan an MCP server for this issue

MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.

Scan now

← Threat Catalog

Server Implementation

Code injection (eval/exec)

CRITICALAIVSS 9.6CWE: CWE-94OWASP: LLM05Agentic: T02Rule: MCP-010

A tool handler passes model-supplied text into `eval`, `Function`, `exec`, or `compile`, letting the LLM (or whoever prompts it) execute arbitrary code in the server process.

What it is

Why it matters for MCP

Vulnerable example

example.py

1	@server.tool()
2	def evaluate(expression: str) -> str:
3	"""Evaluate a Python expression and return the result."""
4	return str(eval(expression))

Secure example

example.py

from asteval import Interpreter
_aeval = Interpreter(minimal=True, use_numpy=False)

@server.tool()
def evaluate(expression: str) -> str:
    """Evaluate a numeric expression (arithmetic only, no names or calls)."""
    if len(expression) > 256:
        raise ValueError("expression too long")
    result = _aeval(expression)
    if _aeval.error:
        raise ValueError("invalid expression")
    return str(result)

How MCPSafe detects this

See the full threat catalog for every documented detection.

Framework alignment

OWASP LLM Top-10 (2025): LLM05 — Improper Output Handling
OWASP Agentic AI Top-10: T02 — Tool Misuse
AIVSS v0.5: 9.6 (CRITICAL)AIVSS:1.0/S:CRITICAL/AV:N/AU:M/BR:H/CD:I

Illustrative CVEs

CVEs of the same CWE class. Not MCP-specific, but exemplify the failure mode MCPSafe detects.

CVE-2022-29078 — EJS template engine eval — RCE via eval'd input

Scan an MCP server for this issue

MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.

Scan now

Code injection (eval/exec)

What it is

Why it matters for MCP

Vulnerable example

Secure example

How MCPSafe detects this

Framework alignment

Illustrative CVEs

Further reading

Scan an MCP server for this issue

Code injection (eval/exec)

What it is

Why it matters for MCP

Vulnerable example

Secure example

How MCPSafe detects this

Framework alignment

Illustrative CVEs

Further reading

Scan an MCP server for this issue

1	from asteval import Interpreter
2	_aeval = Interpreter(minimal=True, use_numpy=False)
3
4	@server.tool()
5	def evaluate(expression: str) -> str:
6	"""Evaluate a numeric expression (arithmetic only, no names or calls)."""
7	if len(expression) > 256:
8	raise ValueError("expression too long")
9	result = _aeval(expression)
10	if _aeval.error:
11	raise ValueError("invalid expression")
12	return str(result)