Vulnerability Details CVE-2025-29778
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 15.1%
CVSS Severity
CVSS v3 Score 5.8
References
- https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537
- https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60
- https://github.com/kyverno/kyverno/pull/12237
- https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94
- https://github.com/kyverno/policies/issues/1246
Products affected by CVE-2025-29778
-
cpe:2.3:a:kyverno:kyverno:1.13.0
-
cpe:2.3:a:kyverno:kyverno:1.13.1
-
cpe:2.3:a:kyverno:kyverno:1.13.2
-
cpe:2.3:a:kyverno:kyverno:1.13.3
-
cpe:2.3:a:kyverno:kyverno:1.13.4
-
cpe:2.3:a:kyverno:kyverno:1.13.5