NodeRestriction Admission Controller Vulnerability in Kubernetes
CVE-2025-4563
What is CVE-2025-4563?
CVE-2025-4563 is a security vulnerability found within the NodeRestriction admission controller of Kubernetes, a widely used open-source platform for managing containerized applications. The NodeRestriction controller is designed to enforce security policies around resource allocation and node communications. This vulnerability arises when the DynamicResourceAllocation feature gate is enabled, allowing for dynamic resource management during pod lifecycle events. Specifically, it enables compromised nodes to create mirror pods without adequate validation, leading to unauthorized access to dynamic resources. This flaw could result in serious security implications for organizations relying on Kubernetes, as it opens the door for potential privilege escalation, where an attacker could exploit the permissions granted to these unauthorized pods.
Potential impact of CVE-2025-4563
-
Privilege Escalation: The vulnerability allows compromised nodes to create unauthorized mirror pods, potentially giving attackers elevated privileges within the Kubernetes environment, which could compromise sensitive resources and configurations.
-
Resource Misallocation: By bypassing authorization checks during resource allocation, the flaw could lead to misallocation of computational resources, impacting the performance and availability of applications running on the cluster.
-
Increased Attack Surface: The ability to create unauthorized pods may also increase the attack surface for organizations, facilitating further attacks within the network, including potential lateral movement and exploitation of additional vulnerabilities in connected services or systems.
Affected Version(s)
Kubernetes v1.32.0 - v1.32.5
Kubernetes v1.33.0 - v1.33.1