CVE-2025-64434
BaseFortify
Publication date: 2025-11-07
Last updated on: 2025-11-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kubevirt | kubevirt | to 1.5.3 (exc) |
| kubevirt | kubevirt | 1.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Upgrade KubeVirt to version 1.5.3 or 1.6.1 or later, as these versions contain the fix for this vulnerability.
Can you explain this vulnerability to me?
This vulnerability in KubeVirt's virt-handler component allows an attacker who compromises one virt-handler instance to use shared credentials to impersonate the virt-api service. This impersonation enables the attacker to perform privileged operations on other virt-handler instances, potentially compromising the integrity and availability of the virtual machines managed by those instances. The issue is due to flaws in the peer verification logic and is fixed in versions 1.5.3 and 1.6.1.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to execute privileged operations on virtual machine instances managed by KubeVirt, potentially leading to disruption or compromise of those virtual machines. This impacts the availability and integrity of the virtual machines, which could affect services relying on them.