{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-9708", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "state": "PUBLISHED", "assignerShortName": "kubernetes", "dateReserved": "2025-08-29T16:21:58.881Z", "datePublished": "2025-09-16T21:08:05.189Z", "dateUpdated": "2025-09-16T21:08:05.189Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kubernetes CSharp Client", "vendor": "Kubernetes", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "17.0.13", "versionType": "semver"}, {"status": "unaffected", "version": "17.0.14"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "elliott-beach"}], "datePublic": "2025-09-16T02:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>A vulnerability exists in the Kubernetes C# client where the certificate validation logic accepts properly constructed certificates from any Certificate Authority (CA) without properly verifying the trust chain. This flaw allows a malicious actor to present a forged certificate and potentially intercept or manipulate communication with the Kubernetes API server, leading to possible man-in-the-middle attacks and API impersonation.</div>"}], "value": "A vulnerability exists in the Kubernetes C# client where the certificate validation logic accepts properly constructed certificates from any Certificate Authority (CA) without properly verifying the trust chain. This flaw allows a malicious actor to present a forged certificate and potentially intercept or manipulate communication with the Kubernetes API server, leading to possible man-in-the-middle attacks and API impersonation."}], "impacts": [{"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Man in the Middle Attack"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "Kubernetes C# Client: improper certificate validation in custom CA mode may lead to man-in-the-middle attacks"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation", "type": "CWE"}]}], "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2025-09-16T21:08:05.189Z"}, "references": [{"tags": ["mailing-list"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/rLopt2Msvbw/m/rK6XeNw2CgAJ"}, {"tags": ["issue-tracking"], "url": "https://github.com/kubernetes/kubernetes/issues/134063"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div>Deploy the patch version of the Kubernetes C# client as soon as possible. Alternatively, move the CA certificates into the system trust store instead of specifying them in the kubeconfig file. Note: This approach may introduce new risks, as all processes on the system will begin to trust certificates signed by that CA. If you must use an affected version, you can disable custom CA and add the CA to the machine's trusted root.</div></div>"}], "value": "Deploy the patch version of the Kubernetes C# client as soon as possible. Alternatively, move the CA certificates into the system trust store instead of specifying them in the kubeconfig file. Note: This approach may introduce new risks, as all processes on the system will begin to trust certificates signed by that CA. If you must use an affected version, you can disable custom CA and add the CA to the machine's trusted root."}], "source": {"discovery": "EXTERNAL"}, "title": "Kubernetes C# Client: improper certificate validation in custom CA mode may lead to man-in-the-middle attacks", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the Kubernetes C# client where the certificate validation logic accepts properly constructed certificates from any Certificate Authority (CA) without properly verifying the trust chain. This flaw allows a malicious actor to present a forged certificate and potentially intercept or manipulate communication with the Kubernetes API server, leading to possible man-in-the-middle attacks and API impersonation."}], "id": "CVE-2025-9708", "lastModified": "2025-09-16T22:15:33.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "jordan@liggitt.net", "type": "Secondary"}]}, "published": "2025-09-16T22:15:33.407", "references": [{"source": "jordan@liggitt.net", "url": "https://github.com/kubernetes/kubernetes/issues/134063"}, {"source": "jordan@liggitt.net", "url": "https://groups.google.com/g/kubernetes-security-announce/c/rLopt2Msvbw/m/rK6XeNw2CgAJ"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}

{}