CVE-2025-47281
BaseFortify
Publication date: 2025-07-23
Last updated on: 2025-08-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kyverno | kyverno | to 1.14.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-47281 is a Denial of Service (DoS) vulnerability in Kyverno versions 1.14.1 and below. It occurs because Kyverno improperly handles JMESPath variable substitutions when an attacker with permissions to create or update policies crafts expressions using the {{@}} variable combined with an invalid JMESPath function. This causes a nil value to be substituted into the policy structure. When internal functions like getValueAsStringMap expect string values but receive nil, a panic occurs due to a type assertion failure, crashing Kyverno worker threads and the reports controller pod. This leads to degraded performance or complete admission controller crashes, blocking resource deployment. The issue is fixed in version 1.14.2. [1]
How can this vulnerability impact me? :
This vulnerability can cause Kyverno's admission controller worker threads and reports controller pod to crash repeatedly. In Audit mode, this results in degraded performance and potential exhaustion of worker threads, but the main admission controller pod remains running. In Enforce mode, the entire admission controller crashes, causing admission requests to fail and effectively blocking resource deployment. Additionally, the reports controller pod crashes and restarts continuously, halting background policy scanning and report generation. This leads to denial of service and unavailability of Kyverno's policy enforcement and reporting features. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring Kyverno admission controller and reports controller pods for crashes or repeated restarts. Specifically, look for panic logs related to type assertion failures in getValueAsStringMap, indicating nil values where strings are expected. Detection can also involve checking for the presence of malicious or malformed ClusterPolicy or Policy resources that use the {{@}} variable combined with invalid JMESPath functions (e.g., {{@ | non_existent_function}}). Commands to detect this might include kubectl commands to check pod status and logs, such as: 1) kubectl get pods -n kyverno -w to watch for pod restarts/crashes; 2) kubectl logs <admission-controller-pod> -n kyverno | grep panic to find panic stack traces; 3) kubectl get clusterpolicy,policy -o yaml | grep -A 5 '{{@ |' to find policies with suspicious JMESPath expressions. These steps help identify if the vulnerability is being exploited or causing instability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Kyverno to version 1.14.2 or later, where the vulnerability is fixed by adding nil checks and safer handling of JMESPath substitutions in getValueAsStringMap. Until the upgrade, restrict permissions to create or update ClusterPolicy or Policy resources to trusted users only, preventing attackers from injecting malicious policies. Additionally, monitor and restart affected pods if crashes occur. Avoid using Enforce mode for validationFailureAction on policies until patched, as it causes full admission controller crashes. Applying these mitigations reduces the risk of Denial of Service caused by this vulnerability. [1, 2]