MCP Server Kubernetes Command Injection Vulnerability in exec_in_pod Tool

A command injection vulnerability has been identified in the exec_in_pod tool of MCP Server Kubernetes, prior to version 2.9.8. The tool allows users to execute commands in Kubernetes pods but, when commands are provided as strings, they are sent to the shell for interpretation without proper validation. This oversight enables the execution of arbitrary commands by exploiting shell metacharacters. The vulnerability can be directly exploited or indirectly through prompt injection, where AI agents execute commands without user consent.

Impact

Exploitation of this vulnerability allows for arbitrary command execution within Kubernetes pods, as the injected commands are executed by the shell. This could lead to unauthorized access to sensitive data, such as secrets and environment variables, modification of pod states, or installation of backdoors. Additionally, if an AI agent is involved, it could execute commands on behalf of the user without explicit permission, potentially causing further harm.

Reproduction

To reproduce this vulnerability, first upload the vulnerable MCP Server Kubernetes version to a Kubernetes cluster. Then, use the exec_in_pod tool to execute a command as a string, including shell metacharacters. The command will be executed by the shell, demonstrating the command injection. For indirect prompt injection, inject instructions into pod logs that prompt an AI agent to execute commands via the exec_in_pod tool.

Remediation

Users can update to MCP Server Kubernetes version 2.9.8 or later, where this vulnerability has been fixed.