Karl.Fail

Tag: kcp

  • CVE-2025-29922: Unauthorized Object Manipulation via APIExport in kcp Virtual Workspaces

    Critical Authorization Flaw in kcp’s APIExport VirtualWorkspace

    On March 20, 2025, a critical vulnerability identified as CVE-2025-29922 was disclosed in kcp, a Kubernetes-like control plane framework developed by kcp-dev. This flaw allows unauthorized users to create or delete objects across arbitrary workspaces via the APIExport VirtualWorkspace.

    Understanding the Vulnerability

    kcp provides flexible workspace-based API management for workloads beyond standard Kubernetes clusters. A core security mechanism involves workspace owners explicitly granting API access via an APIBinding.

    However, due to improper authorization logic (categorized as CWE-285: Improper Authorization), any user with low privileges could exploit the APIExport VirtualWorkspace interface to:

    • Create objects in any target workspace
    • Delete existing resources in unauthorized workspaces

    This could occur even when:

    • No APIBinding exists in the target workspace
    • The workspace owner explicitly rejected the permission claim

    Effectively, this bypasses the entire access control model meant to protect kcp environments.

    CVSS Score and Impact

    The vulnerability has been assigned a CVSS v3.1 base score of 9.6 (CRITICAL), using the following vector:

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

    Key factors contributing to this score include:

    • Attack Vector: Network – can be exploited remotely
    • Attack Complexity: Low – simple to execute
    • Privileges Required: Low – minimal access required
    • Scope: Changed – affects broader system beyond vulnerable component
    • Confidentiality & Integrity Impact: High – unauthorized data manipulation is possible
    • Availability Impact: None – system stability remains intact

    Remediation

    The issue has been patched in kcp versions 0.26.3 and 0.27.0. All users should:

    • Upgrade to a patched version immediately
    • Review and audit APIExport usage and bindings
    • Validate workspace access configurations

    There is currently no evidence of public exploitation, but the impact is severe if left unpatched.

    References

    Conclusion

    CVE-2025-29922 exposes a critical breakdown in authorization controls within kcp. Organizations relying on kcp for API-based service control should prioritize applying updates and verifying their permission models. This vulnerability highlights the importance of robust authorization enforcement in distributed systems.