A critical vulnerability (CVE-2025-4563) in Kubernetes allows nodes to bypass authorization checks, leading to potential privilege escalation in affected clusters. The issue affects specific versions of kube-apiserver and requires particular configurations to exploit, though it has a low severity score. #Kubernetes #NodeRestriction
Keypoints
- The vulnerability resides in the NodeRestriction admission controller, affecting resource validation during pod creation.
- Exploitation requires enabling the DynamicResourceAllocation feature alongside static pods.
- The affected Kubernetes versions are v1.32.0-1.32.5 and v1.33.0-1.33.1 with a CVSS score of 2.7.
- Mitigation involves updating to patched versions or disabling DynamicResourceAllocation via API parameters.
- Cloud providers like Azure Kubernetes Service are unaffected due to default feature settings.
Read More: https://gbhackers.com/kubernetes-noderestriction-flaw/