Hello Kubernetes Community, A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
This issue has been rated Low (2.7) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L <https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L>, and assigned CVE-2025-4563. Am I vulnerable? All clusters that are using the DynamicResourceAllocation feature (disabled by default) and static pods together may be vulnerable. Affected Versions - kube-apiserver: v1.32.0 - v1.32.5 - kube-apiserver: v1.33.0 - 1.33.1 How do I mitigate this vulnerability? This issue can be mitigated by: - If you're not actively using the DynamicResourceAllocation features, the safest and simplest action is to turn off the feature on the API server. Fixed Versions - kube-apiserver >= v1.32.6 - kube-apiserver >= v1.33.2 Detection All clusters that are using the DynamicResourceAllocation feature and static pods may be vulnerable. Run the following command to see if the feature is in use: kubectl get ResourceClaim --all-namespaces and kubectl get pods --all-namespaces -o json | jq -r ' .items[] | select(.metadata.annotations["kubernetes.io/config.mirror"] == "true") | "\(.metadata.namespace)/\(.metadata.name)"' If you find evidence that this vulnerability has been exploited, please contact secur...@kubernetes.io Thank You, Rita Zhang on behalf of the Kubernetes Security Response Committee Additional Details See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/132151 Acknowledgements This vulnerability was reported by @amitschendel The issue was fixed and coordinated by: Patrick Ohly @pohly Jordan Liggitt @liggitt Balaji @SaranBalaji90 Rita Zhang @ritazh Marko Mudrinić @xmudrii Thank You, Rita Zhang on behalf of the Kubernetes Security Response Committee
