CVE-2025-4563

| EUVD-2025-18894 LOW
2025-06-23 [email protected] GHSA-hj2p-8wj8-pfq4
2.7
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-18894
CVE Published
Jun 23, 2025 - 16:15 nvd
LOW 2.7

Tags

Privilege Escalation Ubuntu Debian

Description

A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.

Analysis

A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.

Technical Context

Privilege escalation allows a low-privileged user or process to gain elevated permissions beyond what was originally authorized. This vulnerability is classified as Improper Input Validation (CWE-20).

Remediation

Apply the principle of least privilege. Keep systems patched. Monitor for suspicious privilege changes. Use mandatory access controls (SELinux, AppArmor).

Priority Score

14
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +14
POC: 0

Vendor Status

Ubuntu

Priority: Medium
kubernetes
Release Status Version
plucky DNE -
upstream needs-triage -
oracular ignored end of life, was needs-triage
focal not-affected code not present
jammy not-affected code not present
noble not-affected code not present

Debian

kubernetes
Release Status Fixed Version Urgency
bullseye fixed 1.20.5+really1.20.2-1 -
bookworm fixed 1.20.5+really1.20.2-1.1+deb12u1 -
trixie fixed 1.32.3+ds-2 -
forky, sid fixed 1.33.4+ds-1 -
(unstable) fixed 1.20.5+really1.20.2-1 -

Share

CVE-2025-4563 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy