CVE-2025-66404 Overview
CVE-2025-66404 is a command injection vulnerability in mcp-server-kubernetes, a Model Context Protocol (MCP) server that connects to and manages Kubernetes clusters. The exec_in_pod tool accepts user-provided commands in both array and string formats. When a string is supplied, it is passed directly to sh -c without input validation, allowing shell metacharacters to be interpreted. Attackers can exploit this through direct command injection or indirect prompt injection against AI agents that invoke the tool. The flaw is tracked under [CWE-77: Improper Neutralization of Special Elements used in a Command]. The issue is fixed in version 2.9.8.
Critical Impact
Authenticated attackers can execute arbitrary shell commands inside Kubernetes pods, leading to full compromise of containerized workloads and potential lateral movement within the cluster.
Affected Products
- suyogs/mcp-server-kubernetes versions prior to 2.9.8
- Node.js deployments of the MCP server for Kubernetes
- AI agent environments integrating the vulnerable MCP tool
Discovery Timeline
- 2025-12-03 - CVE-2025-66404 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-66404
Vulnerability Analysis
The exec_in_pod tool in mcp-server-kubernetes exposes a command execution interface for Kubernetes pods. The tool's input schema accepts the command parameter as either a string or string[]. When the parameter arrives as a string, the server hands it to the shell via sh -c, which interprets metacharacters such as ;, &&, |, backticks, and $(). An attacker controlling the command value can append arbitrary shell payloads that execute within the targeted pod's container context. Because MCP servers are commonly driven by AI agents, attackers can also trigger execution through indirect prompt injection, where malicious instructions hidden in retrieved data cause the agent to call exec_in_pod with attacker-supplied strings.
Root Cause
The root cause is missing input validation and the dual acceptance of string and array command formats. Accepting a raw string and delegating parsing to sh -c mixes data with control characters. The patch eliminates string input entirely and enforces array-only execution, bypassing the shell.
Attack Vector
Exploitation requires the attacker to influence the command argument passed to exec_in_pod. This can occur directly from a malicious MCP client or indirectly when an AI agent processes attacker-controlled content and forwards it as a tool call. Successful exploitation yields arbitrary command execution inside the target pod, with the privileges of the pod's service account and any mounted secrets.
// Security patch in src/index.ts - command type narrowed to string[]
input as {
name: string;
namespace?: string;
- command: string | string[];
+ command: string[];
container?: string;
+ timeout?: number;
context?: string;
}
);
Source: GitHub commit d091107
// Security patch in src/tools/exec_in_pod.ts - shell interpretation removed
* Tool: exec_in_pod
* Execute a command in a Kubernetes pod or container and return the output.
* Uses the official Kubernetes client-node Exec API for native execution.
- * Supports both string and array command formats, and optional container targeting.
+ *
+ * SECURITY: Only accepts commands as an array of strings. This prevents command
+ * injection attacks by executing directly without shell interpretation.
+ * Shell operators (pipes, redirects, etc.) are intentionally not supported.
*/
import * as k8s from "@kubernetes/client-node";
Source: GitHub commit d091107
The patch removes the union type accepting strings and documents that shell operators are intentionally unsupported. Execution now flows through the Kubernetes client-node Exec API with discrete argv tokens.
Detection Methods for CVE-2025-66404
Indicators of Compromise
- Unexpected kubectl exec or pod exec API calls originating from MCP server processes
- Pod audit logs showing sh -c invocations containing shell metacharacters such as ;, &&, |, or $()
- MCP tool call logs where the command parameter is a string rather than an array
- Outbound network connections from application pods to attacker-controlled hosts following MCP tool use
Detection Strategies
- Inspect MCP server request logs for exec_in_pod invocations where command is a string type
- Correlate Kubernetes API audit events for pods/exec subresource calls with MCP server identities
- Hunt for shell metacharacters in process command lines spawned by sh -c inside workload containers
- Review AI agent transcripts for prompt injection patterns that instruct the agent to invoke pod execution tools
Monitoring Recommendations
- Enable Kubernetes audit logging at Metadata level or higher for the pods/exec subresource
- Forward MCP server stdout/stderr and request logs to a centralized logging platform
- Alert on any execution of sh, bash, or /bin/sh with -c inside pods that do not normally spawn shells
- Track service account token usage from pods to detect post-exploitation lateral movement
How to Mitigate CVE-2025-66404
Immediate Actions Required
- Upgrade mcp-server-kubernetes to version 2.9.8 or later
- Audit recent exec_in_pod invocations for string-format commands containing shell metacharacters
- Rotate Kubernetes service account tokens accessible from pods that were exposed to the vulnerable server
- Restrict the MCP server's kubeconfig to least-privilege RBAC scoped to required namespaces
Patch Information
The fix is delivered in mcp-server-kubernetes 2.9.8 through commit d091107ff92d9ffad1b3c295092f142d6578c48b. The patch narrows the command parameter type to string[] only and routes execution through the Kubernetes client-node Exec API without shell interpretation. Details are published in the GitHub Security Advisory GHSA-wvxp-jp4w-w8wg.
Workarounds
- Disable or remove the exec_in_pod tool from the MCP server configuration until the upgrade is applied
- Place an input validation proxy in front of the MCP server that rejects string-type command values
- Limit MCP server network exposure to trusted clients using mutual TLS or authenticated reverse proxies
- Constrain pod security contexts with runAsNonRoot, read-only root filesystems, and dropped capabilities to limit blast radius
# Upgrade to the patched release
npm install mcp-server-kubernetes@2.9.8
# Verify the installed version
npm list mcp-server-kubernetes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

