CVE-2025-53355 | THREATINT

Description

MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. A command injection vulnerability exists in the mcp-server-kubernetes MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. This vulnerability is fixed in 2.5.0.

PUBLISHED Reserved 2025-06-27 | Published 2025-07-08 | Updated 2025-07-09 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Product status

< 2.5.0

affected

References

github.com/...rnetes/security/advisories/GHSA-gjv4-ghm7-q58q exploit

github.com/...rnetes/security/advisories/GHSA-gjv4-ghm7-q58q

github.com/...ommit/ab165f5a0eea917fef5dbae954506fff6f4bf514

github.com/...ommit/0dbd6995ccdf76ab770b58013034365b2d06c4d9

cve.org (CVE-2025-53355)

nvd.nist.gov (CVE-2025-53355)

Download JSON