CVE-2025-59376 is a command injection vulnerability identified in the feiskyer mcp-kubernetes-server product, specifically in versions up to 0.1.11. The vulnerability arises from improper neutralization of special elements used in commands (CWE-77). The issue is located in the implementation of the --disable-write and --disable-delete options, which are intended to restrict certain kubectl operations. However, the parsing logic only inspects the first word of the command to determine if it is a write or delete operation. This flawed logic allows an attacker to chain commands using shell command separators (e.g., semicolons), bypassing the intended restrictions. For example, a command like "kubectl version; kubectl delete pod" is permitted because the first command "version" is not a write or delete operation, but the chained command "kubectl delete pod" executes nonetheless. This leads to unauthorized command execution on the underlying system. The vulnerability has a CVSS v3.1 base score of 3.7, indicating low severity, with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects the feiskyer mcp-kubernetes-server, a Kubernetes management/control plane server, which is likely used in container orchestration environments.

For European organizations, the impact of this vulnerability depends on the adoption of the feiskyer mcp-kubernetes-server product within their Kubernetes infrastructure. If deployed, attackers could remotely execute unauthorized commands by exploiting the command injection flaw, potentially leading to unauthorized modification of Kubernetes resources or disruption of containerized workloads. Although the CVSS score is low, the integrity of Kubernetes operations could be compromised, leading to potential unauthorized deletion or modification of pods or other resources. This could affect service reliability and data integrity. Given the high attack complexity and no known exploits, immediate widespread impact is unlikely, but targeted attacks against organizations using this product could result in operational disruptions or security breaches. The lack of confidentiality and availability impact reduces the risk of data leaks or denial of service, but integrity violations remain a concern. Organizations relying on Kubernetes for critical infrastructure or services should be aware of this vulnerability to prevent potential misuse.

To mitigate this vulnerability, European organizations should first identify any deployments of feiskyer mcp-kubernetes-server within their environments. Since no patches are currently linked, organizations should implement strict input validation and sanitization on any user-supplied commands or parameters interacting with the --disable-write and --disable-delete options. Restrict access to the management interface of the mcp-kubernetes-server to trusted networks and authenticated users only, even though the vulnerability does not require privileges, to reduce exposure. Employ network segmentation and firewall rules to limit external access to Kubernetes control plane components. Monitor logs for unusual command patterns or chained commands that could indicate exploitation attempts. Consider deploying runtime security tools that detect command injection or anomalous command execution within container orchestration environments. Engage with the vendor or community to obtain patches or updates addressing this issue as they become available. Additionally, review and harden Kubernetes RBAC policies to minimize the impact of any unauthorized command execution.