CVE-2025-59377: mcp-kubernetes-server has an OS Command Injection vulnerability
(updated )
feiskyer/mcp-kubernetes-server through 0.1.11 allows OS command injection via the /mcp/kubectl endpoint. The handler constructs a shell command with user-supplied arguments and executes it with subprocess using shell=True, enabling injection through shell metacharacters (e.g., ;, &&, $()), even when the server is running in read-only mode.
A remote, unauthenticated attacker can execute arbitrary OS commands on the host, resulting in full compromise of confidentiality, integrity, and availability.
This issue is distinct from mcp-server-kubernetes and from CVE-2025-53355.
References
- github.com/advisories/GHSA-4hqq-7q79-932p
- github.com/feiskyer/mcp-kubernetes-server
- github.com/feiskyer/mcp-kubernetes-server/blob/78957b6c1a3982080cf6fcaac6f6e9014116a71c/src/mcp_kubernetes_server/command.py
- github.com/william31212/CVE-Requests-1896609
- nvd.nist.gov/vuln/detail/CVE-2025-59377
- www.tenable.com/cve/CVE-2025-59377
Code Behaviors & Features
Detect and mitigate CVE-2025-59377 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →