<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>MKP Server - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/mkp-server/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 19:21:23 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/mkp-server/feed.xml" rel="self" type="application/rss+xml"/><item><title>MKP Pod Log Read Vulnerability Leads to Memory Exhaustion and Denial of Service</title><link>https://feed.craftedsignal.io/briefs/2026-07-mkp-pod-log-dos/</link><pubDate>Tue, 14 Jul 2026 19:21:23 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-mkp-pod-log-dos/</guid><description>An unauthenticated remote attacker can exploit a vulnerability in the MKP (Model Context Protocol for Kubernetes) server to exhaust its memory and cause a denial of service by sending a crafted `tools/call` request that manipulates `limitBytes` or `tailLines` parameters, leading to unbounded Kubernetes pod log reads into memory.</description><content:encoded><![CDATA[<p>A critical vulnerability exists in the MKP (Model Context Protocol for Kubernetes) server, allowing an unauthenticated remote attacker to trigger a denial of service. The MKP server's <code>get_resource</code> MCP tool, which proxies Kubernetes pod log requests, improperly handles user-supplied <code>limitBytes</code> and <code>tailLines</code> parameters. These parameters are parsed as unbounded <code>int64</code> values and forwarded directly to the Kubernetes API. The server then reads the entire log stream into an in-memory buffer without application-side size limits. This design flaw enables an attacker to exhaust the server's memory, leading to an Out-of-Memory (OOM) kill and service unavailability. The vulnerability is present in the default configuration of <code>mkp-server</code> on port 8080 and requires no prior authentication or privileges. Proof-of-concept testing showed the MKP process RSS growing from 25.8 MB to 1,179.3 MB when handling a single request with <code>limitBytes=134217728</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The MKP server listens on port 8080 by default without requiring authentication.</li>
<li>The <code>NewGetResourceTool()</code> is unconditionally registered, making the <code>get_resource</code> MCP tool available to unauthenticated users.</li>
<li>An unauthenticated attacker sends a crafted <code>tools/call</code> request via an HTTP POST to the <code>/mcp</code> endpoint, specifying <code>resource: &quot;pods&quot;</code> and <code>subresource: &quot;logs&quot;</code>.</li>
<li>Within the request parameters, the attacker supplies arbitrarily large <code>int64</code> string values for <code>limitBytes</code> (e.g., &quot;2147483647&quot;) or <code>tailLines</code> (e.g., &quot;999999999&quot;).</li>
<li>The MKP server processes these unbounded parameters without validation and forwards them to the Kubernetes API to retrieve pod logs.</li>
<li>The server then attempts to read the entire potentially massive log stream returned by the Kubernetes API directly into an in-memory <code>bytes.Buffer</code> using <code>io.Copy</code>, without any application-level size constraints.</li>
<li>This unbounded read rapidly consumes the MKP server's available memory, causing its Resident Set Size (RSS) to grow significantly.</li>
<li>The MKP server process eventually exhausts system memory, leading to an Out-of-Memory (OOM) termination and a denial of service for the entire MKP service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This is an unauthenticated remote Denial of Service (DoS) vulnerability that affects any deployment of the MKP server accessible over the network. Organizations running <code>mkp-server</code> in its default configuration are vulnerable, as no authentication or specific flags are required to exploit <code>get_resource</code>. Kubernetes clusters containing pods with large accumulated logs, such as <code>kube-system</code> workloads in production environments, are particularly susceptible. The success of this attack makes the entire MKP service unavailable, disrupting cluster observability and any downstream consumers relying on the MCP interface. A single crafted <code>tools/call</code> request with a sufficiently large <code>limitBytes</code> or <code>tailLines</code> value is enough to trigger the memory exhaustion, as the internal rate limiter only caps request frequency and not data volume.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Update the MKP server to a patched version that implements application-side limits for <code>limitBytes</code> and <code>tailLines</code> parameters as described in the provided remediation code.</li>
<li>Restrict network access to the MKP server's default port 8080 from untrusted sources to reduce the attack surface.</li>
<li>Monitor the MKP server process memory usage (RSS) for sudden, large increases or OOM events that deviate from normal operational baselines.</li>
<li>Review web server or proxy logs for HTTP POST requests to the <code>/mcp</code> endpoint containing <code>tools/call</code> method with unusually large string values for <code>limitBytes</code> or <code>tailLines</code> in the JSON request body.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>kubernetes</category><category>denial-of-service</category><category>memory-exhaustion</category><category>unauthenticated</category><category>mcp</category><category>cloud</category></item></channel></rss>