Vulnerability	Vulnerable Version
H Arbitrary Argument Injection mcp-server-kubernetes is a MCP server for interacting with Kubernetes clusters via kubectl Affected versions of this package are vulnerable to Arbitrary Argument Injection through the `startPortForward` function in `src/tools/port_forward.ts`. An attacker can inject additional `kubectl` flags by supplying crafted `namespace`, `resourceType`, or `resourceName` values when starting a port-forward, causing the tool to run `kubectl` with attacker-controlled arguments. This can redirect the port-forward to unintended resources or alter `kubectl` behavior, leading to unauthorized access to cluster resources and disruption of the user’s port-forward session. How to fix Arbitrary Argument Injection? Upgrade `mcp-server-kubernetes` to version 3.5.0 or higher.	>=1.0.0 <3.5.0

Arbitrary Argument Injection

mcp-server-kubernetes is a MCP server for interacting with Kubernetes clusters via kubectl

Affected versions of this package are vulnerable to Arbitrary Argument Injection through the startPortForward function in src/tools/port_forward.ts. An attacker can inject additional kubectl flags by supplying crafted namespace, resourceType, or resourceName values when starting a port-forward, causing the tool to run kubectl with attacker-controlled arguments. This can redirect the port-forward to unintended resources or alter kubectl behavior, leading to unauthorized access to cluster resources and disruption of the user’s port-forward session.

How to fix Arbitrary Argument Injection?

Upgrade mcp-server-kubernetes to version 3.5.0 or higher.

>=1.0.0 <3.5.0

Go back to all versions of this package