CVE-2025-59377
Description
feiskyer mcp-kubernetes-server through 0.1.11 allows OS command injection, even in read-only mode, via /mcp/kubectl because shell=True is used. NOTE: this is unrelated to mcp-server-kubernetes and CVE-2025-53355.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
feiskyer mcp-kubernetes-server through 0.1.11 allows OS command injection via /mcp/kubectl due to shell=True, enabling RCE even in read-only mode.
Vulnerability
Details
The vulnerability in feiskyer mcp-kubernetes-server (versions up to 0.1.11) stems from improper sanitization of user input when constructing shell commands. The server exposes an MCP tool named kubectl that builds a command string by prepending "kubectl" to user-provided input. The validation only checks that the first element of the command is kubectl but fails to sanitize the rest for shell metacharacters, and the use of shell=True in the Python subprocess allows chaining arbitrary OS commands via metacharacters like ; [1][4]. This results in OS command injection (CWE-78) even when the server is configured in read-only mode [3].
Exploitation
An attacker with access to the MCP server (e.g., via an AI assistant interface) can exploit this by sending a crafted request to the /mcp/kubectl endpoint. The input is passed directly to a shell, enabling execution of arbitrary commands. The attacker does not need authentication beyond what is already provided by the MCP client. Additionally, the server's intended access controls (like --disable-write and --disable-delete) can be bypassed using the same command chaining technique, allowing destructive actions even when read-only mode is enforced [1].
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands on the host running the MCP server. This can lead to full compromise of the host system and the associated Kubernetes cluster, including data exfiltration, resource manipulation, and persistent access. The vulnerability is considered critical because it exposes the entire Kubernetes environment to an attacker who can reach the MCP server [1][2].
Mitigation
As of the latest version (0.1.11), no patch has been released. The project repository has not addressed the issue in the codebase, and the shell=True remains in the source code [4]. Users should avoid exposing the MCP server to untrusted networks and apply strict network access controls until a fix is available. This CVE is unrelated to mcp-server-kubernetes and CVE-2025-53355 [3].
- GitHub - william31212/CVE-Requests-1896609: CVE-2025-59376, CVE-2025-59377
- GitHub - feiskyer/mcp-kubernetes-server: A Model Context Protocol (MCP) server that enables AI assistants to interact with Kubernetes clusters. It serves as a bridge between AI tools (like Claude, Cursor, and GitHub Copilot) and Kubernetes, translating natural language requests into Kubernetes operations and returning the results in a format the AI tools can understand.
- NVD - CVE-2025-59377
- mcp-kubernetes-server/src/mcp_kubernetes_server/command.py at 78957b6c1a3982080cf6fcaac6f6e9014116a71c · feiskyer/mcp-kubernetes-server
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mcp-kubernetes-serverPyPI | <= 0.1.11 | — |
Affected products
2<=0.1.11+ 1 more
- (no CPE)range: <=0.1.11
- (no CPE)range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.