CVE-2025-66404
📋 TL;DR
This CVE describes a command injection vulnerability in the exec_in_pod tool of mcp-server-kubernetes. When commands are provided in string format, they're passed directly to shell interpretation without validation, allowing attackers to execute arbitrary commands. This affects users of mcp-server-kubernetes versions prior to 2.9.8 who use the exec_in_pod functionality.
💻 Affected Systems
- mcp-server-kubernetes
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Kubernetes cluster through arbitrary command execution with the permissions of the mcp-server-kubernetes service account, potentially leading to data exfiltration, resource hijacking, or lateral movement.
Likely Case
Limited command execution within pods, potentially exposing sensitive data or disrupting pod operations, especially through indirect prompt injection attacks via AI agents.
If Mitigated
Contained impact limited to the specific pod's namespace if proper RBAC and network policies restrict the service account's permissions.
🎯 Exploit Status
Exploitation requires access to the MCP server interface. The vulnerability is straightforward to exploit once access is obtained, as shell metacharacters can be directly injected.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.8
Vendor Advisory: https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-wvxp-jp4w-w8wg
Restart Required: Yes
Instructions:
1. Update mcp-server-kubernetes to version 2.9.8 or later. 2. Restart the mcp-server-kubernetes service. 3. Verify the fix by checking the version and testing command injection attempts.
🔧 Temporary Workarounds
Disable exec_in_pod functionality
allTemporarily disable or restrict access to the vulnerable exec_in_pod tool until patching is complete.
# Configure MCP server to disable exec_in_pod or restrict its usage through access controls
Enforce command array format
allConfigure the system to only accept commands in array format, bypassing the vulnerable string parsing path.
# Modify client configurations to always send commands as arrays rather than strings
🧯 If You Can't Patch
- Implement strict input validation to reject commands containing shell metacharacters when provided as strings.
- Apply least privilege principles to the mcp-server-kubernetes service account using Kubernetes RBAC to limit potential damage.
🔍 How to Verify
Check if Vulnerable:
Check if mcp-server-kubernetes version is below 2.9.8 and if exec_in_pod accepts string-formatted commands.Check Version:
Check the mcp-server-kubernetes version in your deployment configuration or run appropriate version check command for your installation method.Verify Fix Applied:
After updating to 2.9.8+, attempt to inject shell metacharacters in string-formatted commands and verify they are rejected or properly escaped.📡 Detection & Monitoring
Log Indicators:
- Unusual command patterns in exec_in_pod logs
- Multiple shell metacharacters in command strings
- Commands with pipe operators or redirections
Network Indicators:
- Unexpected outbound connections from pods after exec_in_pod commands
- Unusual command execution patterns via MCP protocol
SIEM Query:
Search for exec_in_pod events containing shell metacharacters like ;, |, &, $, (, ), <, >, ` in command strings