CVE-2025-59376

Vulnerability

Overview

The feiskyer mcp-kubernetes-server, an MCP server enabling AI assistants to interact with Kubernetes clusters, contains a validation flaw in its kubectl tool. The server constructs shell commands by prepending "kubectl" to user input, but only inspects the first word of the command to enforce safety flags like --disable-write and --disable-delete. This allows chaining commands using shell metacharacters such as ; [1][3]. For example, a command like kubectl version; kubectl delete pod is permitted because the first word "version" is not a write or delete operation, bypassing the intended restrictions [1].

Exploitation

An attacker with access to the MCP server (e.g., through an AI assistant or directly) can craft input that includes multiple commands separated by shell metacharacters. The server does not sanitize or prevent such chaining, enabling the execution of arbitrary kubectl commands even when write or delete operations are explicitly disallowed [1]. The same technique also leads to OS command injection (CWE-78) because the entire user input is passed to a shell [1].

Impact

Successful exploitation allows an attacker to perform destructive actions like deleting pods or modifying deployments despite --disable-delete or --disable-write being active. Combined with the command injection vector, this can lead to remote code execution on the host running the MCP server, potentially compromising both the host and the connected Kubernetes cluster [1][2].

Mitigation

As of the latest available information, the issue affects all versions up to and including 0.1.11, and no patched version has been released [1][3]. Users should restrict access to the MCP server, apply network segmentation, and monitor for unusual command patterns until an official fix is available.