CVE-2025-4563
CVE Details
Visit the official vulnerability details page for CVE-2025-4563 to learn more.
Initial Publication
05/20/2025
Last Update
08/18/2025
This CVE does not have a third party dependency.
NIST CVE Summary
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
CVE Severity
Our Official Summary
All clusters that are using the DynamicResourceAllocation feature (disabled by default) and static pods together may be vulnerable. Affected Versions: kube-apiserver: v1.32.0 - v1.32.5, kube-apiserver: v1.33.0 - 1.33.1 How do I mitigate this vulnerability? This issue can be mitigated by: If you're not actively using the DynamicResourceAllocation features, the safest and simplest action is to turn off the feature on the API server. Fixed Versions: kube-apiserver >= v1.32.6, kube-apiserver >= v1.33.2 Detection: All clusters that are using the DynamicResourceAllocation feature and static pods may be vulnerable. Run the following command to see if the feature is in use: kubectl get ResourceClaim --all-namespaces and kubectl get pods --all-namespaces -o json | jq -r '.items[] | select(.metadata.annotations["kubernetes.io/config.mirror"] == "true") | "\(.metadata.namespace)/\(.metadata.name)"'
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.6.36 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
No revisions available.