CVE-2025-4563

A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/kubernetes/kubernetes/issues/132151
https://groups.google.com/g/kubernetes-security-announce/c/Zv84LMRuvMQ

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad en el controlador de admisión NodeRestriction que permite a los nodos eludir las comprobaciones de autorización de asignación dinámica de recursos. Cuando la función DynamicResourceAllocation está habilitada, el controlador valida correctamente los estados de las solicitudes de recursos durante las actualizaciones de estado de los pods, pero no realiza una validación equivalente durante su creación. Esto permite que un nodo comprometido cree pods espejo que acceden a recursos dinámicos no autorizados, lo que podría provocar una escalada de privilegios.

23 Jun 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-23 16:15

Updated : 2026-06-17 09:33

NVD link : CVE-2025-4563

Mitre link : CVE-2025-4563

CVE.ORG link : CVE-2025-4563

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2025-4563", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-4563", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-23T15:57:05.350312Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "jordan@liggitt.net", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.2}]}, "affected": [{"source": "jordan@liggitt.net", "affectedData": [{"vendor": "Kubernetes", "product": "Kubernetes", "versions": [{"status": "affected", "version": "v1.32.0 - v1.32.5"}, {"status": "affected", "version": "v1.33.0 - v1.33.1"}], "defaultStatus": "unaffected"}]}], "published": "2025-06-23T16:15:27.350", "references": [{"url": "https://github.com/kubernetes/kubernetes/issues/132151", "source": "jordan@liggitt.net"}, {"url": "https://groups.google.com/g/kubernetes-security-announce/c/Zv84LMRuvMQ", "source": "jordan@liggitt.net"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "jordan@liggitt.net", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation."}, {"lang": "es", "value": "Existe una vulnerabilidad en el controlador de admisi\u00f3n NodeRestriction que permite a los nodos eludir las comprobaciones de autorizaci\u00f3n de asignaci\u00f3n din\u00e1mica de recursos. Cuando la funci\u00f3n DynamicResourceAllocation est\u00e1 habilitada, el controlador valida correctamente los estados de las solicitudes de recursos durante las actualizaciones de estado de los pods, pero no realiza una validaci\u00f3n equivalente durante su creaci\u00f3n. Esto permite que un nodo comprometido cree pods espejo que acceden a recursos din\u00e1micos no autorizados, lo que podr\u00eda provocar una escalada de privilegios."}], "lastModified": "2026-06-17T09:33:31.753", "sourceIdentifier": "jordan@liggitt.net"}