CVE-2025-29778
Published: 24 March 2025
Description
Adversaries may deploy a container into an environment to facilitate execution or evade defenses.
Security Summary
CVE-2025-29778 is a vulnerability in Kyverno, a policy engine designed for cloud native platform engineering teams, affecting versions prior to 1.14.0-alpha.1. In keyless mode, Kyverno ignores the subjectRegExp and IssuerRegExp parameters during artifact signature verification. This improper authorization flaw, classified under CWE-285, enables the deployment of Kubernetes resources using artifacts signed by unexpected certificates.
Exploitation is possible over the network (AV:N) by attackers with high privileges (PR:H), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful attacks allow deployment of unauthorized Kubernetes resources, resulting in high integrity impact (I:H), changed scope (S:C), and potential full compromise of the Kubernetes cluster.
Kyverno version 1.14.0-alpha.1 includes a patch for the issue, as detailed in the associated GitHub security advisory (GHSA-46mp-8w32-6g94), commit (8777672fb17bdf252bd2e7d8de3441e240404a60), and pull request (#12237). Practitioners should upgrade to the patched version to mitigate the vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability bypasses Kyverno signature verification (subjectRegExp/IssuerRegExp), enabling unauthorized container deployments (T1610) and defense evasion via policy bypass (T1211) with scope change to full cluster compromise.