CVE-2025-66404
Published: 03 December 2025
Description
MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands…
more
in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8.
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of input validation on user-provided string commands passed to sh -c, preventing shell metacharacter interpretation and command injection.
Requires timely flaw remediation, such as patching to version 2.9.8, to eliminate the specific command injection vulnerability in exec_in_pod.
Restricts inputs to the exec_in_pod tool to safe formats like arrays only, blocking string-based shell metacharacter exploitation.
Security SummaryAI
CVE-2025-66404 is a command injection vulnerability (CWE-77) in the exec_in_pod tool of the mcp-server-kubernetes MCP Server, which connects to and manages Kubernetes clusters. In versions prior to 2.9.8, the tool accepts user-provided commands in both array and string formats. String-format commands are passed directly to shell interpretation via sh -c without input validation, enabling interpretation of shell metacharacters.
The vulnerability has a CVSS v3.1 base score of 6.4 (AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H), indicating exploitation over the network but requiring high attack complexity, high privileges, and user interaction. Attackers with sufficient privileges can exploit it through direct command injection by supplying malicious strings or via indirect prompt injection attacks, where AI agents execute unintended commands on Kubernetes pods without explicit user intent, potentially leading to high-impact confidentiality, integrity, and availability compromises.
The vulnerability is fixed in version 2.9.8, as detailed in the project's GitHub security advisory (GHSA-wvxp-jp4w-w8wg) and the corresponding commit (d091107ff92d9ffad1b3c295092f142d6578c48b). Security practitioners should upgrade to 2.9.8 or later and review usage of the exec_in_pod tool, particularly in environments integrating AI agents.
This issue highlights risks in AI/ML-adjacent tools interfacing with infrastructure like Kubernetes, where prompt injection can bypass intended controls. No public evidence of real-world exploitation is available at publication.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Parse error: ```json { "category": "AI Agent Protocols and Integrations", "reason": "The CVE affects MCP Server Kubernetes, a server used by AI agents to manage Kubernetes clusters. The vulnerability enables p
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables shell command injection via unsanitized string input to 'sh -c' in exec_in_pod tool (T1059.004: Unix Shell). Facilitates abuse of container administration commands for arbitrary execution in Kubernetes pods (T1609: Container Administration Command).