CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-46599: CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations,...

6.8 CVSS

Description

CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.

Classification

CVE ID: CVE-2025-46599

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.8

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Problem Types

CWE-1188 Initialization of a Resource with an Insecure Default

Affected Products

Vendor: K3s

Product: K3s

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.44% (scored less or equal to compared to others)

EPSS Date: 2025-05-24 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-46599
https://github.com/f1veT/BUG/issues/2
https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port
https://github.com/k3s-io/k3s/issues/12164
https://github.com/k3s-io/k3s/commit/097b63e588e3c844cdf9b967bcd0a69f4fc0aa0a
https://github.com/k3s-io/k3s/compare/v1.32.3+k3s1...v1.32.4-rc1+k3s1

Timeline

2025-04-25 05:40:09 UTC
CVE

CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations,...
2025-04-25 16:15:23 UTC
Github Advisory Database (Go)

[github.com/k3s-io/k3s] CNCF K3s Kubernetes kubelet configuration exposes credentials