CRITICAL 9.8

GHSA-94gr-w3q5-rfqr

Open Source Kubectl MCP Server vulnerable to arbitrary code execution via user interaction with crafted HTML page

Details

An issue in Open Source Kubectl MCP Server v1.1.1 allows attackers to execute arbitrary code on a victim system via user interaction with a crafted HTML page.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / kubectl-mcp-server

Introduced in: 0 Fixed in: 1.2.0

Fix npm install kubectl-mcp-server@1.2.0

PyPI / kubectl-mcp-server

Introduced in: 0 Fixed in: 1.2.0

Fix pip install --upgrade 'kubectl-mcp-server>=1.2.0'

References

https://nvd.nist.gov/vuln/detail/CVE-2025-65719 [ADVISORY]
https://github.com/rohitg00/kubectl-mcp-server [PACKAGE]
https://www.ox.security/blog/cve-2025-65719-critical-rce-in-kubectl-mcp-server [WEB]
https://www.ox.security/blog/kubectl-mcp-server-remote-code-execution [WEB]