{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mkp-server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MKP server"],"_cs_severities":["medium"],"_cs_tags":["kubernetes","denial-of-service","memory-exhaustion","unauthenticated","mcp","cloud"],"_cs_type":"advisory","_cs_vendors":["StacklokLabs"],"content_html":"\u003cp\u003eA critical vulnerability exists in the MKP (Model Context Protocol for Kubernetes) server, allowing an unauthenticated remote attacker to trigger a denial of service. The MKP server's \u003ccode\u003eget_resource\u003c/code\u003e MCP tool, which proxies Kubernetes pod log requests, improperly handles user-supplied \u003ccode\u003elimitBytes\u003c/code\u003e and \u003ccode\u003etailLines\u003c/code\u003e parameters. These parameters are parsed as unbounded \u003ccode\u003eint64\u003c/code\u003e values and forwarded directly to the Kubernetes API. The server then reads the entire log stream into an in-memory buffer without application-side size limits. This design flaw enables an attacker to exhaust the server's memory, leading to an Out-of-Memory (OOM) kill and service unavailability. The vulnerability is present in the default configuration of \u003ccode\u003emkp-server\u003c/code\u003e on port 8080 and requires no prior authentication or privileges. Proof-of-concept testing showed the MKP process RSS growing from 25.8 MB to 1,179.3 MB when handling a single request with \u003ccode\u003elimitBytes=134217728\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe MKP server listens on port 8080 by default without requiring authentication.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eNewGetResourceTool()\u003c/code\u003e is unconditionally registered, making the \u003ccode\u003eget_resource\u003c/code\u003e MCP tool available to unauthenticated users.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted \u003ccode\u003etools/call\u003c/code\u003e request via an HTTP POST to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint, specifying \u003ccode\u003eresource: \u0026quot;pods\u0026quot;\u003c/code\u003e and \u003ccode\u003esubresource: \u0026quot;logs\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin the request parameters, the attacker supplies arbitrarily large \u003ccode\u003eint64\u003c/code\u003e string values for \u003ccode\u003elimitBytes\u003c/code\u003e (e.g., \u0026quot;2147483647\u0026quot;) or \u003ccode\u003etailLines\u003c/code\u003e (e.g., \u0026quot;999999999\u0026quot;).\u003c/li\u003e\n\u003cli\u003eThe MKP server processes these unbounded parameters without validation and forwards them to the Kubernetes API to retrieve pod logs.\u003c/li\u003e\n\u003cli\u003eThe server then attempts to read the entire potentially massive log stream returned by the Kubernetes API directly into an in-memory \u003ccode\u003ebytes.Buffer\u003c/code\u003e using \u003ccode\u003eio.Copy\u003c/code\u003e, without any application-level size constraints.\u003c/li\u003e\n\u003cli\u003eThis unbounded read rapidly consumes the MKP server's available memory, causing its Resident Set Size (RSS) to grow significantly.\u003c/li\u003e\n\u003cli\u003eThe MKP server process eventually exhausts system memory, leading to an Out-of-Memory (OOM) termination and a denial of service for the entire MKP service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis is an unauthenticated remote Denial of Service (DoS) vulnerability that affects any deployment of the MKP server accessible over the network. Organizations running \u003ccode\u003emkp-server\u003c/code\u003e in its default configuration are vulnerable, as no authentication or specific flags are required to exploit \u003ccode\u003eget_resource\u003c/code\u003e. Kubernetes clusters containing pods with large accumulated logs, such as \u003ccode\u003ekube-system\u003c/code\u003e workloads in production environments, are particularly susceptible. The success of this attack makes the entire MKP service unavailable, disrupting cluster observability and any downstream consumers relying on the MCP interface. A single crafted \u003ccode\u003etools/call\u003c/code\u003e request with a sufficiently large \u003ccode\u003elimitBytes\u003c/code\u003e or \u003ccode\u003etailLines\u003c/code\u003e value is enough to trigger the memory exhaustion, as the internal rate limiter only caps request frequency and not data volume.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate the MKP server to a patched version that implements application-side limits for \u003ccode\u003elimitBytes\u003c/code\u003e and \u003ccode\u003etailLines\u003c/code\u003e parameters as described in the provided remediation code.\u003c/li\u003e\n\u003cli\u003eRestrict network access to the MKP server's default port 8080 from untrusted sources to reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor the MKP server process memory usage (RSS) for sudden, large increases or OOM events that deviate from normal operational baselines.\u003c/li\u003e\n\u003cli\u003eReview web server or proxy logs for HTTP POST requests to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint containing \u003ccode\u003etools/call\u003c/code\u003e method with unusually large string values for \u003ccode\u003elimitBytes\u003c/code\u003e or \u003ccode\u003etailLines\u003c/code\u003e in the JSON request body.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T19:21:23Z","date_published":"2026-07-14T19:21:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mkp-pod-log-dos/","summary":"An unauthenticated remote attacker can exploit a vulnerability in the MKP (Model Context Protocol for Kubernetes) server to exhaust its memory and cause a denial of service by sending a crafted `tools/call` request that manipulates `limitBytes` or `tailLines` parameters, leading to unbounded Kubernetes pod log reads into memory.","title":"MKP Pod Log Read Vulnerability Leads to Memory Exhaustion and Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-07-mkp-pod-log-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - MKP Server","version":"https://jsonfeed.org/version/1.1"}