CVE-2025-4563

Published Jun 23, 2025

Last updated 9 months ago

CVSS low 2.7
Kubernetes

Overview

Description
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
Source
jordan@liggitt.net
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
2.7
Impact score
1.4
Exploitability score
1.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Severity
LOW

Weaknesses

jordan@liggitt.net
CWE-20

Social media

Hype score
Not currently trending

  1. 🚨 Fedora 41 Admins: A critical Kubernetes NodeRestriction bypass (CVE-2025-4563) has been patched in v1.32.6. Learn how to secure your clusters and boost container security. Read more: 👉 https://t.co/HBFDkZiDEN #DevOps #CyberSecurity #Kubernetes https://t.co/G5Jed45F

    @Cezar_H_Linux

    29 Jun 2025

    51 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. A Kubernetes vulnerability (CVE-2025-4563) in NodeRestriction can let nodes bypass resource checks & escalate privileges, affecting certain versions. Update to patched v1.32.6/1.33.2 to mitigate. ⚠️ #Kubernetes #Security #Japan https://t.co/qLOr1mFNux

    @TweetThreatNews

    25 Jun 2025

    14 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  3. 🚨 Critical #Kubernetes Flaw #CVE-2025-4563 Exposes Privilege Escalation Risk via Mirror Pods https://t.co/xLUfU8jpqT

    @UndercodeNews

    25 Jun 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Kubernetes users, heads up! 🚨 CVE-2025-4563 can lead to privilege escalation if DynamicResourceAllocation is enabled. Update to v1.32.6/v1.33.2 ASAP or disable the feature. Audit your cluster configs! #kubernetes #security #CVE https://t.co/WmV47qPage

    @fernandokarl

    25 Jun 2025

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-4563: Nodes can bypass dynamic resource allocation authorization checks - https://t.co/qJ1gyHBlLS

    @kubernetesio

    19 Jun 2025

    6271 Impressions

    4 Retweets

    28 Likes

    4 Bookmarks

    0 Replies

    2 Quotes

  6. CVE-2025-4563: Kubernetes: Nodes can bypass dynamic resource allocation authorization checks https://t.co/B6v99HAGbf allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation

    @oss_security

    19 Jun 2025

    419 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

Related CVEs

  1. A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2025-15566
  2. A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2025-24514
  3. A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2025-1098
  4. A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)CVE-2025-1974
  5. A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.CVE-2025-24513

References

Sources include official advisories and independent security research.