CVE-2025-47281
📋 TL;DR
This CVE describes a Denial of Service vulnerability in Kyverno policy engine versions 1.14.1 and below. Attackers with permissions to create or update Kyverno policies can craft malicious JMESPath expressions that crash Kyverno worker threads, causing continuous pod crashes. Organizations running vulnerable Kyverno versions in Kubernetes environments are affected.
💻 Affected Systems
- Kyverno
📦 What is this software?
Kyverno by Kyverno
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of Kyverno's admission control and policy enforcement capabilities, potentially affecting cluster operations and security posture.
Likely Case
Intermittent crashes of Kyverno components leading to policy enforcement gaps and operational instability.
If Mitigated
Minimal impact with proper RBAC controls limiting who can create/update policies.
🎯 Exploit Status
Exploitation requires authenticated access with policy creation/update permissions. The vulnerability details are publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.14.2
Vendor Advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-r5p3-955p-5ggq
Restart Required: Yes
Instructions:
1. Backup current Kyverno configuration. 2. Update Kyverno to version 1.14.2 using your preferred deployment method (helm upgrade, kubectl apply, etc.). 3. Verify all Kyverno pods are running with the new version.
🔧 Temporary Workarounds
Restrict Policy Permissions
allLimit RBAC permissions to prevent unauthorized users from creating or updating Kyverno policies.
kubectl get clusterrole,role -A | grep -i kyverno
kubectl get clusterrolebinding,rolebinding -A | grep -i kyverno
🧯 If You Can't Patch
- Implement strict RBAC controls to limit policy creation/update permissions to trusted administrators only.
- Monitor Kyverno pod logs for panic messages and restart crashed pods while investigating policy changes.
🔍 How to Verify
Check if Vulnerable:
Check Kyverno version: kubectl get pods -n kyverno -l app.kubernetes.io/name=kyverno -o jsonpath='{.items[*].spec.containers[*].image}'Check Version:
kubectl get pods -n kyverno -l app.kubernetes.io/name=kyverno -o jsonpath='{.items[*].spec.containers[*].image}' | grep -o ':[0-9.]*'Verify Fix Applied:
Confirm version is 1.14.2 or higher and monitor for pod crashes after applying policies with JMESPath expressions.📡 Detection & Monitoring
Log Indicators:
- panic: interface conversion: interface {} is nil, not string
- Kyverno pod crashes/restarts
- getValueAsStringMap function errors
Network Indicators:
- Increased API server errors related to admission webhooks
SIEM Query:
source="kyverno" AND ("panic" OR "nil" OR "getValueAsStringMap")