CVE-2025-48710

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/kro-run/kro/compare/v0.2.1...v0.2.2
https://orca.security/resources/blog/kubernetes-crd-abstraction-risks-kro/

Configurations

No configuration.

History

04 Jun 2025, 14:54

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-04 06:15

Updated : 2025-06-04 14:54

NVD link : CVE-2025-48710

Mitre link : CVE-2025-48710

CVE.ORG link : CVE-2025-48710

JSON object : View

Products Affected

No product.

CWE

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

4.1 /10