CVE-2025-59376: mcp-kubernetes-server has a Command Injection vulnerability

September 15, 2025 (updated September 25, 2025)

mcp-kubernetes-server does not correctly enforce the --disable-write / --disable-delete protections when commands are chained. The server only inspects the first token to decide whether an operation is write/delete, which allows a read-like command to be followed by a write action using shell metacharacters (e.g., kubectl version; kubectl delete pod <name>). A remote attacker who can invoke the server may therefore bypass the intended write/delete restrictions and perform state-changing operations against the Kubernetes cluster.

Affected versions: through 0.1.11 (no patched release available as of now).

Mitigations:

Run with --disable-kubectl and/or --disable-helm to fully block those execution paths.
Put the server behind an allow-list proxy restricting allowed subcommands.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-59376 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →