CVE-2025-59377
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-09-20
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| feisky | mcp-kubernetes-server | to 0.1.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59377 is a vulnerability in the feiskyer mcp-kubernetes-server (version 0.1.11 and earlier) that allows OS command injection via the /mcp/kubectl endpoint. The server uses shell=True when executing commands, and it only validates that the first command token is 'kubectl' but does not sanitize subsequent input. This allows attackers to chain arbitrary OS commands using shell metacharacters, leading to Remote Code Execution (RCE) on the host running the MCP server. Additionally, the server's access control flags (--disable-write and --disable-delete) can be bypassed by chaining allowed commands with forbidden ones, enabling destructive operations despite restrictions. Indirect prompt injection attacks via LLM clients reading pod logs can also trigger unauthorized commands. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to execute arbitrary OS commands on the host running the MCP server, leading to Remote Code Execution (RCE). Attackers can bypass security policies intended to restrict destructive Kubernetes operations, such as deleting pods or scaling deployments, potentially resulting in full cluster compromise and unauthorized control over Kubernetes resources. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or chained kubectl commands that include shell metacharacters such as semicolons (';'). You can check for unexpected file creations like '/tmp/rce_proof.txt' which is used in proof-of-concept exploits. Commands to detect exploitation attempts include searching for such files (e.g., 'ls -l /tmp/rce_proof.txt') and monitoring logs or network traffic for kubectl commands containing command chaining patterns. Additionally, reviewing pod logs for injected malicious prompts that could trigger indirect prompt injection is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the mcp-kubernetes-server to trusted users only, disabling or limiting the use of the vulnerable 'kubectl' tool exposed by the MCP server, and avoiding use of versions v0.1.11 and earlier. Since the vulnerability arises from improper input sanitization and command validation, applying patches or updates from the vendor that fix the shell command injection issue is critical. Additionally, monitoring and filtering commands to prevent command chaining and disabling indirect prompt injection vectors by controlling LLM client interactions with pod logs can help mitigate exploitation. [1]