CVE-2025-59377
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2025-09-20

Assigner: MITRE

Description
feiskyer mcp-kubernetes-server through 0.1.11 allows OS command injection, even in read-only mode, via /mcp/kubectl because shell=True is used. NOTE: this is unrelated to mcp-server-kubernetes and CVE-2025-53355.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2025-09-20
Generated
2026-06-16
AI Q&A
2025-09-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59377
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
feisky mcp-kubernetes-server to 0.1.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59377 is a vulnerability in the feiskyer mcp-kubernetes-server (version 0.1.11 and earlier) that allows OS command injection via the /mcp/kubectl endpoint. The server uses shell=True when executing commands, and it only validates that the first command token is 'kubectl' but does not sanitize subsequent input. This allows attackers to chain arbitrary OS commands using shell metacharacters, leading to Remote Code Execution (RCE) on the host running the MCP server. Additionally, the server's access control flags (--disable-write and --disable-delete) can be bypassed by chaining allowed commands with forbidden ones, enabling destructive operations despite restrictions. Indirect prompt injection attacks via LLM clients reading pod logs can also trigger unauthorized commands. [1]

Impact Analysis

If exploited, this vulnerability can allow attackers to execute arbitrary OS commands on the host running the MCP server, leading to Remote Code Execution (RCE). Attackers can bypass security policies intended to restrict destructive Kubernetes operations, such as deleting pods or scaling deployments, potentially resulting in full cluster compromise and unauthorized control over Kubernetes resources. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unusual or chained kubectl commands that include shell metacharacters such as semicolons (';'). You can check for unexpected file creations like '/tmp/rce_proof.txt' which is used in proof-of-concept exploits. Commands to detect exploitation attempts include searching for such files (e.g., 'ls -l /tmp/rce_proof.txt') and monitoring logs or network traffic for kubectl commands containing command chaining patterns. Additionally, reviewing pod logs for injected malicious prompts that could trigger indirect prompt injection is recommended. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the mcp-kubernetes-server to trusted users only, disabling or limiting the use of the vulnerable 'kubectl' tool exposed by the MCP server, and avoiding use of versions v0.1.11 and earlier. Since the vulnerability arises from improper input sanitization and command validation, applying patches or updates from the vendor that fix the shell command injection issue is critical. Additionally, monitoring and filtering commands to prevent command chaining and disabling indirect prompt injection vectors by controlling LLM client interactions with pod logs can help mitigate exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59377. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart