Overview
The mcp-server-kubernetes package (versions <= 2.4.9) contains unsanitized input in execSync calls within the kubectl_scale, kubectl_patch, and explain_resource tools. Shell metacharacters in tool parameters allow arbitrary command execution on the host. CVSS 7.5.
Who Is Affected
Reported via GitHub Security Advisory GHSA-gjv4-ghm7-q58q. Affects organizations running the mcp-server-kubernetes package to manage Kubernetes clusters through MCP-enabled AI agents.
Where It Exists
The vulnerability is in three tools within mcp-server-kubernetes: kubectl_scale, kubectl_patch, and explain_resource. Each passes user-supplied parameters directly to execSync without sanitization.
When It Was Found
Published July 8, 2025. Affects versions <= 2.4.9. Fixed in v2.5.0.
How It Works
An attacker exploits the vulnerability through prompt injection in Kubernetes resources. For example, a malicious pod name or log content containing shell metacharacters (;, |, &&, $()) can be passed to the kubectl tools. When the MCP server processes these via execSync, the injected commands execute with the server's full privileges -- typically with Kubernetes admin credentials.
Impact
Full command execution on the server host with access to Kubernetes credentials. Attackers can take over the entire Kubernetes cluster, deploy malicious workloads, exfiltrate secrets, and pivot to other infrastructure. The attack surface is amplified because Kubernetes environments commonly contain sensitive credentials.
Mitigation
Update to mcp-server-kubernetes v2.5.0 or later. Replace execSync with execFileSync using argument arrays to prevent shell injection. Apply principle of least privilege to Kubernetes service accounts used by MCP servers. Implement input validation and sanitization for all kubectl parameters.