CVE-2025-29778
📋 TL;DR
Kyverno versions before 1.14.0-alpha.1 ignore subjectRegExp and issuerRegExp validations when verifying artifacts in keyless mode, allowing attackers to deploy Kubernetes resources signed by unexpected certificates. This could lead to unauthorized deployments and potential cluster compromise. Only Kyverno deployments using keyless verification mode are affected.
💻 Affected Systems
- Kyverno
📦 What is this software?
Kyverno by Kyverno
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of Kubernetes cluster through deployment of malicious resources with forged signatures, potentially leading to data exfiltration, service disruption, or lateral movement.
Likely Case
Unauthorized deployment of containers or resources that bypass policy controls, potentially introducing vulnerabilities or malicious workloads.
If Mitigated
Limited impact if proper network segmentation and RBAC controls prevent unauthorized deployments even with bypassed signature validation.
🎯 Exploit Status
Requires ability to sign artifacts with certificates that would normally be rejected by subjectRegExp/issuerRegExp patterns, and access to trigger Kyverno policy evaluations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.14.0-alpha.1
Vendor Advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94
Restart Required: Yes
Instructions:
1. Backup current Kyverno configuration. 2. Update Kyverno to version 1.14.0-alpha.1 or later using your preferred deployment method (helm, kubectl, etc.). 3. Verify the new version is running correctly. 4. Test policy evaluations to ensure proper functionality.
🔧 Temporary Workarounds
Disable keyless verification
allSwitch from keyless verification mode to traditional key-based verification which is not affected by this vulnerability.
Modify Kyverno policies to use key-based verification instead of keyless mode
Restrict deployment permissions
allTighten RBAC controls to limit who can trigger Kyverno policy evaluations or deploy resources.
Review and update Kubernetes RBAC roles and clusterroles to minimize attack surface
🧯 If You Can't Patch
- Implement network policies to restrict traffic to Kyverno pods and limit which services can trigger evaluations
- Enable audit logging for all Kyverno-related activities and monitor for unexpected policy bypasses
🔍 How to Verify
Check if Vulnerable:
Check Kyverno version and verify if using keyless verification mode with subjectRegExp or issuerRegExp configurations.Check Version:
kubectl get deployment kyverno -n kyverno -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o 'v[0-9.]*'Verify Fix Applied:
Verify Kyverno version is 1.14.0-alpha.1 or later and test that subjectRegExp/issuerRegExp patterns are properly enforced during keyless verification.📡 Detection & Monitoring
Log Indicators:
- Kyverno policy evaluations that should have been rejected due to certificate patterns but were allowed
- Unexpected successful verifications in keyless mode
Network Indicators:
- Unusual API calls to Kyverno webhooks or policy evaluation endpoints
SIEM Query:
source="kyverno" AND ("verification succeeded" OR "policy applied") AND "keyless" AND NOT ("subjectRegExp" OR "issuerRegExp")🔗 References
- https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537
- https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60
- https://github.com/kyverno/kyverno/pull/12237
- https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94
- https://github.com/kyverno/policies/issues/1246
