CVE-2025-46342
📋 TL;DR
This vulnerability in Kyverno allows attackers with Kubernetes API access to bypass security-critical policy rules that use namespace selectors. The missing error propagation causes these policies to be silently ignored during admission review, potentially enabling malicious operations. All Kyverno deployments prior to versions 1.13.5 and 1.14.0 are affected.
💻 Affected Systems
- Kyverno
📦 What is this software?
Kyverno by Kyverno
Kyverno by Kyverno
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass all namespace-selector-based policies, allowing unauthorized pod creation, privilege escalation, resource manipulation, and deployment of malicious containers in protected namespaces.
Likely Case
Attackers with existing K8s API access could bypass specific security policies, potentially deploying workloads that violate organizational security requirements or accessing restricted resources.
If Mitigated
With proper network segmentation, API authentication controls, and monitoring, the impact is limited to authorized users who might bypass specific policy restrictions.
🎯 Exploit Status
Exploitation requires Kubernetes API access. The vulnerability is straightforward to trigger by making requests that should be blocked by namespace-selector policies.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.5 or 1.14.0
Vendor Advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-jrr2-x33p-6hvc
Restart Required: Yes
Instructions:
1. Backup current Kyverno configuration. 2. Update Kyverno to version 1.13.5 or 1.14.0 using your preferred deployment method (helm, kubectl, etc.). 3. Verify the new version is running correctly. 4. Test that namespace-selector policies are now being enforced.
🔧 Temporary Workarounds
Temporarily disable or modify namespace-selector policies
allRemove or modify policies that rely on namespace selectors until patching is complete
kubectl delete kyverno.policies.kyverno.io <policy-name>
kubectl edit kyverno.policies.kyverno.io <policy-name>
Implement additional admission controllers
allUse other admission controllers like OPA Gatekeeper alongside Kyverno for defense in depth
🧯 If You Can't Patch
- Strengthen Kubernetes RBAC to limit who can make admission review requests
- Implement network policies to restrict access to Kyverno admission webhook endpoints
- Increase monitoring of policy violations and admission review failures
🔍 How to Verify
Check if Vulnerable:
Check Kyverno version: kubectl get deployment -n kyverno kyverno -o jsonpath='{.spec.template.spec.containers[0].image}'. If version is below 1.13.5 or 1.14.0, you are vulnerable.Check Version:
kubectl get deployment -n kyverno kyverno -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o ':[0-9.]*' | cut -d: -f2Verify Fix Applied:
1. Verify Kyverno version shows 1.13.5 or higher. 2. Test that namespace-selector policies now properly block/allow requests as configured. 3. Check Kyverno logs for proper error handling in admission reviews.📡 Detection & Monitoring
Log Indicators:
- Kyverno admission webhook returning success for requests that should be blocked by namespace-selector policies
- Missing or incomplete namespace selector evaluation in admission review logs
- Increased policy violation attempts in namespaces that should be protected
Network Indicators:
- Unusual admission review request patterns to Kyverno webhook
- Requests bypassing expected policy restrictions
SIEM Query:
source="kyverno" AND ("namespace selector" OR "admission review") AND (error OR bypass OR "not applied")