CVE-2025-29778
Published: 24 March 2025
Summary
CVE-2025-29778 is a medium-severity Improper Authorization (CWE-285) vulnerability in Kyverno Kyverno. Its CVSS base score is 5.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Stealth (T1211); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-29778 is a vulnerability in Kyverno, a policy engine designed for cloud native platform engineering teams, affecting versions prior to 1.14.0-alpha.1. In keyless mode, Kyverno ignores the subjectRegExp and IssuerRegExp parameters during artifact signature verification. This improper authorization flaw, classified under CWE-285, enables the deployment of Kubernetes resources using artifacts signed by unexpected certificates.
Exploitation is possible over the network (AV:N) by attackers with high privileges (PR:H), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful attacks allow deployment of unauthorized Kubernetes resources, resulting in high integrity impact (I:H), changed scope (S:C), and potential full compromise of the Kubernetes cluster.
Kyverno version 1.14.0-alpha.1 includes a patch for the issue, as detailed in the associated GitHub security advisory (GHSA-46mp-8w32-6g94), commit (8777672fb17bdf252bd2e7d8de3441e240404a60), and pull request (#12237). Practitioners should upgrade to the patched version to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7996
Vulnerability details
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that…
more
were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability bypasses Kyverno signature verification (subjectRegExp/IssuerRegExp), enabling unauthorized container deployments (T1610) and defense evasion via policy bypass (T1211) with scope change to full cluster compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires integrity verification of software and information using approved methods, directly preventing deployment of unauthorized Kubernetes resources due to Kyverno's flawed signature checks ignoring subjectRegExp and IssuerRegExp.
Mandates digital signing of components and signature verification prior to installation or execution, mitigating the improper authorization in Kyverno's keyless artifact verification.
Requires timely identification, reporting, and correction of system flaws, such as patching Kyverno to version 1.14.0-alpha.1 to fix the signature verification bypass.