kubernetes allows nodes to bypass dynamic resource allocation authorization checks

GHSA-hj2p-8wj8-pfq4 · CVE-2025-4563 · GO-2025-3774

Published Jun 23, 2025 · Modified Feb 4, 2026

Description

A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-4563
WEB https://github.com/kubernetes/kubernetes/issues/132151
WEB https://github.com/kubernetes/kubernetes/pull/131844
WEB https://github.com/kubernetes/kubernetes/pull/131875
WEB https://github.com/kubernetes/kubernetes/pull/131876
PACKAGE https://github.com/kubernetes/kubernetes
WEB https://groups.google.com/g/kubernetes-security-announce/c/Zv84LMRuvMQ
WEB https://pkg.go.dev/vuln/GO-2025-3774

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes