Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAL7+V1zrwRGdo1p3w0mDKn_s61TUL+EvYi-oMns7Swavv_UaHA@mail.gmail.com>
Date: Wed, 18 Jun 2025 19:30:40 -0700
From: Rita Zhang <rita.z.zhang@...il.com>
To: oss-security@...ts.openwall.com
Subject: [kubernetes] CVE-2025-4563: Nodes can bypass dynamic resource
 allocation authorization checks

Hello Kubernetes Community,

A vulnerability exists in the NodeRestriction admission controller where
nodes can bypass dynamic resource allocation authorization checks. When the
DynamicResourceAllocation feature gate is enabled, the controller properly
validates resource claim statuses during pod status updates but fails to
perform equivalent validation during pod creation. This allows a
compromised node to create mirror pods that access unauthorized dynamic
resources, potentially leading to privilege escalation.

This issue has been rated Low (2.7)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
<https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L>,
and assigned CVE-2025-4563.

Am I vulnerable?

All clusters that are using the DynamicResourceAllocation feature (disabled
by default) and static pods together may be vulnerable.


Affected Versions

   -

   kube-apiserver: v1.32.0 - v1.32.5
   -

   kube-apiserver: v1.33.0 - 1.33.1

How do I mitigate this vulnerability?

This issue can be mitigated by:


   -

   If you're not actively using the DynamicResourceAllocation features, the
   safest and simplest action is to turn off the feature on the API server.

Fixed Versions

   -

   kube-apiserver >= v1.32.6
   -

   kube-apiserver >= v1.33.2

Detection

All clusters that are using the DynamicResourceAllocation feature and
static pods may be vulnerable.  Run the following command to see if the
feature is in use:

kubectl get ResourceClaim --all-namespaces

and

kubectl get pods --all-namespaces -o json | jq -r '

  .items[]

  | select(.metadata.annotations["kubernetes.io/config.mirror"] == "true")

  | "\(.metadata.namespace)/\(.metadata.name)"'

If you find evidence that this vulnerability has been exploited, please
contact security@...ernetes.io

Thank You,

Rita Zhang on behalf of the Kubernetes Security Response Committee

Additional Details

See the GitHub issue for more details:

https://github.com/kubernetes/kubernetes/issues/132151

Acknowledgements

This vulnerability was reported by @amitschendel

The issue was fixed and coordinated by:

Patrick Ohly @pohly

Jordan Liggitt @liggitt

Balaji @SaranBalaji90

Rita Zhang @ritazh

Marko Mudrinić @xmudrii


Thank You,

Rita Zhang on behalf of the Kubernetes Security Response Committee

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.