CVE-2025-47281

HIGH EPSS 37.5%
Published Jul 23, 202511mo ago · Modified Jun 17, 20262w ago
7.7 CVSS 3.1
High
Find Similar
Published Jul 23, 2025 11mo ago
Last Modified Jun 17, 2026 2w ago

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ | non_existent_function }}). This leads to a nil value being substituted into the policy structure. Subsequent processing by internal functions, specifically getValueAsStringMap, which expect string values, results in a panic due to a type assertion failure (interface {} is nil, not string). This crashes Kyverno worker threads in the admission controller and causes continuous crashes of the reports controller pod. This is fixed in version 1.14.2.

CVSS Details

Base Score
7.7
Exploitability
3.1
Impact
4.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
37.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation
CWE-248

Affected Products 1

VendorProductVersionRange
kyvernokyverno* <1.14.2

References 2

  • github.com https://github.com/kyverno/kyverno/commit/cbd7d4ca24de1c55396fc3295e9fc3215832be7c
    Patch
  • github.com https://github.com/kyverno/kyverno/security/advisories/GHSA-r5p3-955p-5ggq
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/kyverno/kyverno/commit/cbd7d4ca24de1c55396fc3295e9fc3215832be7c
    Patch