CVE-2025-55205
📋 TL;DR
A namespace label injection vulnerability in Capsule v0.10.3 and earlier allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system, default, capsule-system). This bypasses multi-tenant isolation, potentially enabling cross-tenant resource access and privilege escalation. All Kubernetes clusters using vulnerable Capsule versions are affected.
💻 Affected Systems
- Capsule
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Tenant users gain administrative access to system namespaces, compromise cluster-wide resources, and access other tenants' data, leading to complete cluster compromise.
Likely Case
Tenants bypass isolation boundaries to access other tenants' resources, violating data separation and potentially exfiltrating sensitive information.
If Mitigated
With proper network policies and RBAC restrictions, impact may be limited to specific namespaces, but isolation guarantees are still violated.
🎯 Exploit Status
Exploitation requires authenticated tenant access but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.10.4
Vendor Advisory: https://github.com/projectcapsule/capsule/security/advisories/GHSA-fcpm-6mxq-m5vv
Restart Required: Yes
Instructions:
1. Backup your Capsule configuration and tenant resources
2. Update Capsule to v0.10.4 using your deployment method (Helm, kubectl apply, etc.)
3. Restart all Capsule controller pods
4. Verify the new version is running correctly
🔧 Temporary Workarounds
Restrict Label Modification
linuxImplement Kubernetes RBAC policies to restrict tenant users from modifying namespace labels, especially in system namespaces.
kubectl apply -f restrictive-rbac.yaml
🧯 If You Can't Patch
- Implement strict network policies to isolate tenant namespaces from system namespaces
- Enhance monitoring and alerting for namespace label modifications, especially in kube-system, default, and capsule-system namespaces
🔍 How to Verify
Check if Vulnerable:
Check Capsule version: kubectl get pods -n capsule-system -l app.kubernetes.io/name=capsule -o jsonpath='{.items[0].spec.containers[0].image}'Check Version:
kubectl get pods -n capsule-system -l app.kubernetes.io/name=capsule -o jsonpath='{.items[0].spec.containers[0].image}' | grep -o 'v[0-9.]*'Verify Fix Applied:
Verify Capsule version is v0.10.4 or later and test that tenant users cannot modify labels in system namespaces.📡 Detection & Monitoring
Log Indicators:
- Unauthorized label modifications in kube-system, default, or capsule-system namespaces
- Tenant users accessing resources outside their assigned namespaces
Network Indicators:
- Unexpected network traffic between tenant namespaces and system namespaces
SIEM Query:
kubernetes.namespace IN ('kube-system', 'default', 'capsule-system') AND kubernetes.event_type = 'MODIFIED' AND kubernetes.resource_type = 'namespace' AND kubernetes.operation = 'UPDATE'