{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-4563", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "state": "PUBLISHED", "assignerShortName": "kubernetes", "dateReserved": "2025-05-12T03:29:13.710Z", "datePublished": "2025-06-23T15:38:42.258Z", "dateUpdated": "2025-06-23T15:58:05.106Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kubernetes", "vendor": "Kubernetes", "versions": [{"status": "affected", "version": "v1.32.0 - v1.32.5"}, {"status": "affected", "version": "v1.33.0 - v1.33.1"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "amitschendel"}], "datePublic": "2025-06-19T02:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.</div>"}], "value": "A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation."}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2025-06-23T15:38:42.258Z"}, "references": [{"tags": ["mailing-list"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/Zv84LMRuvMQ"}, {"tags": ["issue-tracking"], "url": "https://github.com/kubernetes/kubernetes/issues/132151"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div>To mitigate this vulnerability, upgrade Kubernetes: <a target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\">https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/</a></div></div>"}], "value": "To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/"}], "source": {"discovery": "INTERNAL"}, "title": "Nodes can bypass dynamic resource allocation authorization checks", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-23T15:57:05.350312Z", "id": "CVE-2025-4563", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-23T15:58:05.106Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4563", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-23T15:57:05.350312Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-23T15:57:08.938Z"}}], "cna": {"title": "Nodes can bypass dynamic resource allocation authorization checks", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "amitschendel"}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Kubernetes", "product": "Kubernetes", "versions": [{"status": "affected", "version": "v1.32.0 - v1.32.5"}, {"status": "affected", "version": "v1.33.0 - v1.33.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/", "supportingMedia": [{"type": "text/html", "value": "<div><div>To mitigate this vulnerability, upgrade Kubernetes: <a target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\">https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/</a></div></div>", "base64": false}]}], "datePublic": "2025-06-19T02:30:00.000Z", "references": [{"url": "https://groups.google.com/g/kubernetes-security-announce/c/Zv84LMRuvMQ", "tags": ["mailing-list"]}, {"url": "https://github.com/kubernetes/kubernetes/issues/132151", "tags": ["issue-tracking"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.", "supportingMedia": [{"type": "text/html", "value": "<div>A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.</div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2025-06-23T15:38:42.258Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4563", "state": "PUBLISHED", "dateUpdated": "2025-06-23T15:58:05.106Z", "dateReserved": "2025-05-12T03:29:13.710Z", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "datePublished": "2025-06-23T15:38:42.258Z", "assignerShortName": "kubernetes"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation."}], "id": "CVE-2025-4563", "lastModified": "2025-06-23T20:16:21.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "jordan@liggitt.net", "type": "Secondary"}]}, "published": "2025-06-23T16:15:27.350", "references": [{"source": "jordan@liggitt.net", "url": "https://github.com/kubernetes/kubernetes/issues/132151"}, {"source": "jordan@liggitt.net", "url": "https://groups.google.com/g/kubernetes-security-announce/c/Zv84LMRuvMQ"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Amit Schendel for reporting this issue.", "bugzilla": {"description": "kube-apiserver: NodeRestriction Admission Controller Dynamic Resource Allocation Bypass", "id": "2373839", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373839"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-863", "details": ["A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.", "A flaw was found in the Kubernetes NodeRestriction admission controller when the DynamicResourceAllocation feature is enabled. While this controller properly validates resource claims during pod status updates, it fails to apply the same validation during pod creation. This oversight allows a compromised node to create mirror pods that can access unauthorized dynamic resources, potentially leading to unauthorized data access and privilege escalation. Although kubelet sanity checks usually prevent such pods from running, the lack of authorization enforcement at creation time poses a real security policy failure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-4563", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-hyperkube", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-hyperkube-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-kube-proxy", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-kube-proxy-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "ose-installer-kube-apiserver-artifacts-container", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-06-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-4563\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-4563"], "statement": "Red Hat Product Security has assessed the severity of this vulnerability as Low due to its limited preconditions and mitigated runtime impact. While successful exploitation requires a compromised node, the vulnerability enables that node to bypass API authorization checks and gain access to unauthorized dynamic resources. This represents a serious policy enforcement gap. Although kubelet checks often prevent affected pods from running, the underlying flaw allows violation of Kubernetes\u2019 access control boundaries.", "threat_severity": "Low"}