|
Vulnerabilities
< Back

CVE-2025-4563

Updated on 23 Jun 2025

Severity

2.7 Low severity

Details

CVSS score
2.7
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.

Details

Affected product:
argocd , argoproj/gitops-engine , kubernetes/kubernetes
Affected packages:
k8s.io/kubernetes @ 1.32.2 (+2 more)
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.