CVE-2025-4563
published 2025-06-23CVE-2025-4563: A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the…
PriorityP412low2.7CVSS 3.1
AVNACLPRHUINSUCNINAL
EPSS
0.65%
46.5th percentile
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.5+really1.20.2-1 (bookworm) | kubernetes 1.20.5+really1.20.2-1 (bookworm) |
| k8s.io | kubernetes | >= 1.32.0 < 1.32.6 | 1.32.6 |
| k8s.io | kubernetes | >= 1.33.0 < 1.33.2 | 1.33.2 |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| msrc | azl3_kubernetes_1.30.10-9_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.12.7LOWCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
osv2.7LOW
vendor_debian2.7LOW
vendor_msrc2.7LOW
vendor_redhat2.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kube-apiserver: NodeRestriction Admission Controller Dynamic Resource Allocation Bypass
vendor_redhat·2025-06-19·CVSS 2.7
CVE-2025-4563 [LOW] CWE-863 kube-apiserver: NodeRestriction Admission Controller Dynamic Resource Allocation Bypass
kube-apiserver: NodeRestriction Admission Controller Dynamic Resource Allocation Bypass
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
A flaw was found in the Kubernetes NodeRestriction admission controller when the DynamicResourceAllocation feature is enabled. While this controller properly validates resource claims during pod status updates, it fails
Microsoft
Nodes can bypass dynamic resource allocation authorization checks
vendor_msrc·2025-06-10·CVSS 2.7
CVE-2025-4563 [LOW] CWE-20 Nodes can bypass dynamic resource allocation authorization checks
Nodes can bypass dynamic resource allocation authorization checks
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
kubernetes: kubernetes
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Refe
Debian
CVE-2025-4563: kubernetes - A vulnerability exists in the NodeRestriction admission controller where nodes c...
vendor_debian·2025·CVSS 2.7
CVE-2025-4563 [LOW] CVE-2025-4563: kubernetes - A vulnerability exists in the NodeRestriction admission controller where nodes c...
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
Scope: local
bookworm: resolved (fixed in 1.20.5+really1.20.2-1)
bullseye: resolved (fixed in 1.20.5+really1.20.2-1)
forky: resolved (fixed in 1.20.5+really1.20.2-1)
sid: resolved (fixed in 1.20.5+really1.20.2-1)
trixie: resolved (fixed in 1.20.5+really1.20.2-1)
OSV
Kubernetes allows nodes to bypass dynamic resource allocation authorization checks in k8s.io/kubernetes
osv·2025-07-28
CVE-2025-4563 Kubernetes allows nodes to bypass dynamic resource allocation authorization checks in k8s.io/kubernetes
Kubernetes allows nodes to bypass dynamic resource allocation authorization checks in k8s.io/kubernetes
Kubernetes allows nodes to bypass dynamic resource allocation authorization checks in k8s.io/kubernetes
OSV
CVE-2025-4563: A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks
osv·2025-06-23·CVSS 2.7
CVE-2025-4563 [LOW] CVE-2025-4563: A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
OSV
kubernetes allows nodes to bypass dynamic resource allocation authorization checks
osv·2025-06-23
CVE-2025-4563 [LOW] kubernetes allows nodes to bypass dynamic resource allocation authorization checks
kubernetes allows nodes to bypass dynamic resource allocation authorization checks
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
GHSA
kubernetes allows nodes to bypass dynamic resource allocation authorization checks
ghsa·2025-06-23
CVE-2025-4563 [LOW] CWE-863 kubernetes allows nodes to bypass dynamic resource allocation authorization checks
kubernetes allows nodes to bypass dynamic resource allocation authorization checks
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-23
Published