AI description
CVE-2025-4563 is an incorrect authorization vulnerability found in Kubernetes kube-apiserver. It stems from improper access control mechanisms within the NodeRestriction Admission Controller, which allows nodes to bypass dynamic resource allocation authorization checks. This vulnerability could be exploited by attackers with low-privileged network access to gain unauthorized access to sensitive information or partially modify system configurations. It is recommended to upgrade to version 1.32.6 or 1.33.2 to eliminate this vulnerability or, if not actively using DynamicResourceAllocation features, turn off the feature on the API server.
- Description
- A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
- Source
- jordan@liggitt.net
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 2.7
- Impact score
- 1.4
- Exploitability score
- 1.2
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
- Severity
- LOW
- jordan@liggitt.net
- CWE-20
- Hype score
- Not currently trending
๐จ Fedora 41 Admins: A critical Kubernetes NodeRestriction bypass (CVE-2025-4563) has been patched in v1.32.6. Learn how to secure your clusters and boost container security. Read more: ๐ https://t.co/HBFDkZiDEN #DevOps #CyberSecurity #Kubernetes https://t.co/G5Jed45F
@Cezar_H_Linux
29 Jun 2025
51 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
A Kubernetes vulnerability (CVE-2025-4563) in NodeRestriction can let nodes bypass resource checks & escalate privileges, affecting certain versions. Update to patched v1.32.6/1.33.2 to mitigate. โ ๏ธ #Kubernetes #Security #Japan https://t.co/qLOr1mFNux
@TweetThreatNews
25 Jun 2025
14 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
๐จ Critical #Kubernetes Flaw #CVE-2025-4563 Exposes Privilege Escalation Risk via Mirror Pods https://t.co/xLUfU8jpqT
@UndercodeNews
25 Jun 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Kubernetes users, heads up! ๐จ CVE-2025-4563 can lead to privilege escalation if DynamicResourceAllocation is enabled. Update to v1.32.6/v1.33.2 ASAP or disable the feature. Audit your cluster configs! #kubernetes #security #CVE https://t.co/WmV47qPage
@fernandokarl
25 Jun 2025
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-4563: Nodes can bypass dynamic resource allocation authorization checks - https://t.co/qJ1gyHBlLS
@kubernetesio
19 Jun 2025
6271 Impressions
4 Retweets
28 Likes
4 Bookmarks
0 Replies
2 Quotes
CVE-2025-4563: Kubernetes: Nodes can bypass dynamic resource allocation authorization checks https://t.co/B6v99HAGbf allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation
@oss_security
19 Jun 2025
419 Impressions
0 Retweets
2 Likes
1 Bookmark
0 Replies
0 Quotes