CVE-2025-24784
📋 TL;DR
CVE-2025-24784 is a privilege escalation vulnerability in kubewarden-controller where non-admin users can create AdmissionPolicyGroup resources that deploy context-aware policies. These policies can query the Kubernetes API using the higher-privileged ServiceAccount token of the Policy Server, potentially exposing cluster resources beyond the user's intended access. Organizations using kubewarden-controller versions 1.17.0 through 1.20.x are affected.
💻 Affected Systems
- kubewarden-controller
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with namespace-level access could deploy policies that leverage the Policy Server's ServiceAccount privileges to enumerate, read, or potentially modify cluster-wide resources like Namespaces, Pods, Deployments, and Ingresses, leading to data exposure or cluster compromise.
Likely Case
Limited information disclosure where attackers with namespace access can query resources they shouldn't have access to, but impact is constrained by the default limited RBAC permissions of the Policy Server ServiceAccount.
If Mitigated
Minimal impact if organizations follow least privilege principles and restrict the Policy Server ServiceAccount to only necessary resources, though some information leakage may still occur.
🎯 Exploit Status
Exploitation requires authenticated Kubernetes access and knowledge of kubewarden policy creation. Attacker needs namespace permissions to create AdmissionPolicyGroup resources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.21.0
Vendor Advisory: https://github.com/kubewarden/kubewarden-controller/security/advisories/GHSA-756x-m4mj-q96c
Restart Required: Yes
Instructions:
1. Update kubewarden-controller to version 1.21.0 or later using Helm: helm upgrade kubewarden kubewarden/kubewarden-controller --version 1.21.0. 2. Restart the kubewarden-controller deployment: kubectl rollout restart deployment -n kubewarden kubewarden-controller. 3. Verify all Policy Server pods have restarted with the new version.
🔧 Temporary Workarounds
Restrict AdmissionPolicyGroup Creation
allUse Kubernetes RBAC to prevent non-admin users from creating or modifying AdmissionPolicyGroup resources
kubectl create clusterrole admissionpolicygroup-restricted --verb=get,list,watch --resource=admissionpolicygroups.kubewarden.io
kubectl create clusterrolebinding restrict-admissionpolicygroup --clusterrole=admissionpolicygroup-restricted --group=system:authenticated
Limit Policy Server ServiceAccount Permissions
allApply least privilege principles to the Policy Server ServiceAccount, removing unnecessary cluster-wide permissions
kubectl edit clusterrole kubewarden-policy-server-default
kubectl edit clusterrolebinding kubewarden-policy-server-default
🧯 If You Can't Patch
- Implement strict RBAC controls to limit which users can create AdmissionPolicyGroup resources
- Audit and minimize permissions granted to the Policy Server ServiceAccount, removing any unnecessary cluster-wide access
🔍 How to Verify
Check if Vulnerable:
Check kubewarden-controller version: kubectl get deployment -n kubewarden kubewarden-controller -o jsonpath='{.spec.template.spec.containers[0].image}'. If version is between 1.17.0 and 1.20.x, you are vulnerable.Check Version:
kubectl get deployment -n kubewarden kubewarden-controller -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o ':[0-9.]*' | cut -d: -f2Verify Fix Applied:
Confirm kubewarden-controller is running version 1.21.0 or later: kubectl get pods -n kubewarden -l app.kubernetes.io/name=kubewarden-controller -o jsonpath='{.items[*].spec.containers[*].image}'. Verify no pods show versions below 1.21.0.📡 Detection & Monitoring
Log Indicators:
- Unusual AdmissionPolicyGroup creation events from non-admin users
- Policy Server ServiceAccount performing unexpected API queries
- Multiple policy evaluation failures or permission errors
Network Indicators:
- Increased API server requests from Policy Server pods
- Unusual query patterns to Kubernetes API endpoints
SIEM Query:
kubernetes.event.objectRef.resource=admissionpolicygroups AND kubernetes.event.verb IN (create, update, patch)