Listen to this Post
How the CVE Works
The vulnerability (CVE-2025-XXXXX) in Kubernetes occurs when the `DynamicResourceAllocation` feature gate is enabled. The `NodeRestriction` admission controller validates resource claim statuses during pod status updates but fails to enforce the same checks during pod creation. This oversight allows a compromised node to create mirror pods that bypass authorization, granting unauthorized access to dynamic resources. Attackers could exploit this flaw to escalate privileges by manipulating resource claims. The issue affects Kubernetes versions 1.32.0 to 1.32.5 and 1.33.0 to 1.33.1.
DailyCVE Form
Platform: Kubernetes
Version: 1.32.0-1.32.5, 1.33.0-1.33.1
Vulnerability: Authorization bypass
Severity: Low
Date: Jun 23, 2025
Prediction: Patch by Jul 10, 2025
What Undercode Say
kubectl get pods --all-namespaces kubectl describe pod <malicious-pod> kubectl auth can-i create pods --as=system:node:<compromised-node>
How Exploit
1. Compromise a Kubernetes node.
2. Create a malicious mirror pod.
3. Bypass dynamic resource checks.
4. Access unauthorized resources.
Protection from this CVE
- Upgrade to Kubernetes 1.32.6 or 1.33.2.
- Disable `DynamicResourceAllocation` if unused.
- Enforce strict RBAC policies.
Impact
- Unauthorized resource access.
- Potential privilege escalation.
- Cluster integrity compromise.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
