Denial of Service Vulnerability in Kyverno Cloud Native Policy Engine
CVE-2025-47281

7.7HIGH

Key Information:

Vendor: Kyverno
Status: Kyverno
Vendor: CVE Published:; 23 July 2025

What is CVE-2025-47281?

Inversions 1.14.1 and earlier, Kyverno, a policy engine for cloud native platforms, is susceptible to a Denial of Service (DoS) attack due to improper handling of JMESPath variable substitutions. An attacker with permission to modify Kyverno policies can exploit this vulnerability by crafting expressions that lead to nil values being inserted into the policy structure. This results in panic events within the internal functions designed to process expected string values, such as getValueAsStringMap, ultimately crashing worker threads of the Kyverno admission controller and causing repeated failures of the reports controller pod. The issue is resolved in version 1.14.2.

Affected Version(s)

kyverno < 1.14.2

References

https://github.com/kyverno/kyverno/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/kyverno/kyverno/commit/cbd7d4ca24de1c5...

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 23, 2025
Vulnerability Reserved
May 5, 2025