Command Injection Vulnerability in MCP Server for Kubernetes by False257
CVE-2025-53355

7.5HIGH

Key Information:

Vendor

Flux159

Status
Mcp-server-kubernetes
Vendor
CVE Published:
8 July 2025

What is CVE-2025-53355?

A critical command injection vulnerability exists in the MCP Server Kubernetes, which facilitates connections to Kubernetes clusters for management purposes. Due to improper sanitization of input parameters used in the child_process.execSync call, this vulnerability allows attackers to inject arbitrary system commands. Exploitation of this flaw can lead to remote code execution with the privileges of the server process. This issue has been addressed in version 2.5.0, emphasizing the importance of updating to mitigate potential security risks.

Affected Version(s)

mcp-server-kubernetes < 2.5.0

References

https://github.com/Flux159/mcp-server-kubernetes/security...
x_refsource_CONFIRM
https://github.com/Flux159/mcp-server-kubernetes/commit/a...
x_refsource_MISC
https://github.com/cyanheads/git-mcp-server/commit/0dbd69...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-53355 : Command Injection Vulnerability in MCP Server for Kubernetes by False257