CVE-2025-53355

7.50.04%

When AI Take the Wheel: Command Injection in Kubernetes MCP Server

Amit Schendel

Senior Security Researcher

Jan 1, 2026·5 min read·11 visits

PoC Available

Executive Summary (TL;DR)

The mcp-server-kubernetes package trusted user input blindly, passing it directly into `child_process.execSync`. This allowed attackers to inject shell metacharacters through parameters like 'namespace', turning a helpful Kubernetes management tool into a remote shell for the host machine. Fixed in version 2.5.0.

A critical Remote Code Execution (RCE) vulnerability in the mcp-server-kubernetes implementation allows attackers to execute arbitrary shell commands via malicious Model Context Protocol (MCP) tool parameters. By tricking an LLM into processing a crafted prompt, an attacker can pivot from natural language to root access.

Official Patches

Flux159 (GitHub)Commit ab165f5 fixing the vulnerability

Fix Analysis (1)

Technical Appendix

CVSS Score

7.5/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.04%

Top 100% most exploited

Affected Systems

mcp-server-kubernetes < 2.5.0AI Agents using the Kubernetes MCP toolDeveloper workstations with mcp-server-kubernetes installed

Affected Versions Detail

Product	Affected Versions	Fixed Version
mcp-server-kubernetes Flux159	< 2.5.0	2.5.0

Attribute	Detail
CWE ID	CWE-78 (OS Command Injection)
CVSS Score	7.5 (High)
Attack Vector	Network (via LLM Prompt Injection)
Platform	Node.js / Kubernetes
Vulnerable Function	child_process.execSync

MITRE ATT&CK Mapping

T1059Command and Scripting Interpreter

Execution

T1204User Execution

Execution

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Known Exploits & Detection

GitHub AdvisoryAdvisory detailing the command injection vector in namespace parameters

Vulnerability Timeline

Vulnerability identified by Marco Dell'Alibera

2025-02-21

Fix commit pushed to GitHub

2025-02-21

CVE Published

2025-02-25

CVE-2025-53355

7.50.04%

When AI Take the Wheel: Command Injection in Kubernetes MCP Server

Amit Schendel

Senior Security Researcher

Jan 1, 2026·5 min read·11 visits

PoC Available

Executive Summary (TL;DR)

Attack Flow Diagram

Official Patches

Flux159 (GitHub)Commit ab165f5 fixing the vulnerability

Fix Analysis (1)

Technical Appendix

CVSS Score

7.5/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.04%

Top 100% most exploited

Affected Systems

mcp-server-kubernetes < 2.5.0AI Agents using the Kubernetes MCP toolDeveloper workstations with mcp-server-kubernetes installed

Affected Versions Detail

Product	Affected Versions	Fixed Version
mcp-server-kubernetes Flux159	< 2.5.0	2.5.0

Attribute	Detail
CWE ID	CWE-78 (OS Command Injection)
CVSS Score	7.5 (High)
Attack Vector	Network (via LLM Prompt Injection)
Platform	Node.js / Kubernetes
Vulnerable Function	child_process.execSync

MITRE ATT&CK Mapping

T1059Command and Scripting Interpreter

Execution

T1204User Execution

Execution

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Known Exploits & Detection

GitHub AdvisoryAdvisory detailing the command injection vector in namespace parameters

Vulnerability Timeline

Vulnerability identified by Marco Dell'Alibera

2025-02-21

Fix commit pushed to GitHub

2025-02-21

CVE Published

2025-02-25