Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to a missing error propagation in function `GetNamespaceSelectorsFromNamespaceLister` in `pkg/utils/engine/labels.go`. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations. This issue has been patched in versions 1.13.5 and 1.14.0.

Classification

CVE ID: CVE-2025-46342

CVSS Base Severity: HIGH

CVSS Base Score: 8.6

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Products

Vendor: kyverno

Product: kyverno

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 20.06% (scored less or equal to compared to others)

EPSS Date: 2025-05-01 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-46342
https://github.com/kyverno/kyverno/security/advisories/GHSA-jrr2-x33p-6hvc
https://github.com/kyverno/kyverno/commit/3ff923b7756e1681daf73849954bd88516589194

Timeline