CVE-2025-59377: 
Python vulnerability analysis and mitigation

The CVE-2025-59377 vulnerability affects feiskyer mcp-kubernetes-server through version 0.1.11. This vulnerability allows OS command injection, even in read-only mode, via /mcp/kubectl because shell=True is used. The vulnerability is distinct from mcp-server-kubernetes and CVE-2025-53355 (NVD).

The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). It has received a CVSS v3.1 Base Score of 9.8 (CRITICAL) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability stems from the kubectl tool implementation which constructs shell commands by prepending 'kubectl' to user-provided input. While the validation logic checks the first element of the command, it fails to sanitize the rest of the input for shell metacharacters (CVE-Request).

The vulnerability allows an unauthenticated attacker with access to the MCP endpoint to achieve Remote Code Execution (RCE) on the server host under the privileges of the MCP server process. This can lead to complete system compromise, data theft, and potential access to the entire Kubernetes cluster and internal network (CVE-Request).

The recommended mitigation involves rewriting the command.py module to avoid using shell=True with subprocess.run. Instead, commands and arguments should be passed as a list (e.g., subprocess.run(['kubectl', 'version', '--client'])). Additionally, all user-provided arguments must be strictly validated against an allow-list of known-safe kubectl subcommands and parameters, and command chaining metacharacters (&, |, ;, $, `) must be stripped or rejected (CVE-Request).