Vulnerability Description
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
CVSS Score
LOW
Related Weaknesses (CWE)
References
- https://github.com/kubernetes/kubernetes/issues/132151
- https://groups.google.com/g/kubernetes-security-announce/c/Zv84LMRuvMQ
FAQ
What is CVE-2025-4563?
CVE-2025-4563 is a vulnerability with a CVSS score of 2.7 (LOW). A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, ...
How severe is CVE-2025-4563?
CVE-2025-4563 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-4563?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.