The vulnerability identified as CVE-2025-66404 affects the exec_in_pod tool within Flux159's mcp-server-kubernetes product versions prior to 2.9.8. This tool is designed to execute commands inside Kubernetes pods. When commands are provided in string format, they are passed directly to the shell (sh -c) without any sanitization or input validation, allowing shell metacharacters to be interpreted. This improper neutralization of special elements (CWE-77) enables command injection attacks. An attacker with authenticated access and the ability to provide input to exec_in_pod can execute arbitrary shell commands within the Kubernetes environment. The vulnerability also opens the door for indirect prompt injection attacks, where AI agents interacting with the system might inadvertently execute malicious commands without explicit user intent. The CVSS 3.1 score of 6.4 reflects a medium severity, considering the network attack vector, high complexity, required privileges, and user interaction. The impact includes potential full compromise of the Kubernetes cluster's managed pods, leading to confidentiality breaches, data integrity loss, and service disruption. The issue is resolved in version 2.9.8 of the product.

For European organizations, this vulnerability poses a significant risk to Kubernetes-managed environments, especially those relying on Flux159's mcp-server-kubernetes for cluster management. Exploitation could lead to unauthorized command execution within pods, potentially compromising sensitive data, disrupting critical services, or enabling lateral movement within the network. Given the widespread adoption of Kubernetes in European enterprises and public sector organizations, the impact could extend to cloud infrastructure, containerized applications, and DevOps pipelines. The requirement for authenticated access and user interaction somewhat limits the attack surface but does not eliminate the risk, particularly in environments where multiple users or automated agents interact with the exec_in_pod tool. The possibility of indirect prompt injection via AI agents further complicates defense strategies. Operational disruptions and data breaches resulting from this vulnerability could have regulatory and reputational consequences under GDPR and other European data protection frameworks.

European organizations should immediately upgrade Flux159 mcp-server-kubernetes to version 2.9.8 or later to remediate this vulnerability. Until patching is complete, restrict access to the exec_in_pod functionality to the minimum necessary set of trusted users and service accounts. Implement strict input validation and sanitization on any user-supplied commands before they reach the exec_in_pod tool, especially when commands are provided in string format. Monitor and audit usage of exec_in_pod for unusual or unauthorized command executions. Employ network segmentation and role-based access controls to limit exposure of Kubernetes management interfaces. Additionally, review and secure AI agent integrations to prevent indirect prompt injection attacks by enforcing strict command whitelisting and contextual validation. Incorporate runtime security tools that detect anomalous container or pod behavior indicative of exploitation attempts. Finally, maintain up-to-date incident response plans tailored to container and Kubernetes environments.