Karl.Fail

Tag: kubernetes

  • Critical Privilege Escalation in Argo Events via EventSource and Sensor CR (CVE-2025-32445)

    Overview

    CVE-2025-32445 reveals a critical security flaw in Argo Events, an event-driven workflow automation framework for Kubernetes. The vulnerability allows users with limited privileges to escalate access and gain control over the host system and the entire Kubernetes cluster.

    Technical Details

    The issue arises from the way EventSource and Sensor custom resources (CRs) are handled. Users with permission to create or modify these resources can manipulate the spec.template and spec.template.container fields—based on the k8s.io/api/core/v1.Container type.

    This means arbitrary container properties, such as command, args, securityContext, and volumeMount, can be specified. By crafting malicious CRs, an attacker could launch pods with elevated privileges, enabling host-level access and control over the cluster.

    The vulnerability is categorized under CWE-250: Execution with Unnecessary Privileges. It demonstrates how insufficient restriction on customization of Kubernetes resources can expose systems to severe privilege escalation risks.

    Severity and CVSS

    According to the CVSS 3.1 scoring system, this vulnerability has a base score of 10.0 (Critical), indicating maximum severity. The CVSS vector is:

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Confidentiality, Integrity, Availability: High

    This indicates a low barrier to exploitation with a highly impactful result, making immediate remediation essential.

    Affected Versions

    This vulnerability affects all versions of Argo Events prior to v1.9.6. The issue has been fixed in version 1.9.6, which introduces stricter controls around custom resource specifications.

    Recommendations

    • Upgrade to Argo Events v1.9.6 or later immediately.
    • Review user permissions for EventSource and Sensor CRs to ensure only trusted users can modify them.
    • Audit existing CR definitions for signs of abuse or unexpected configurations.

    Conclusion

    CVE-2025-32445 exemplifies how misconfigured permissions and overly flexible resource definitions in Kubernetes environments can lead to critical privilege escalation. Organizations using Argo Events should treat this vulnerability as a high-priority security concern and act swiftly to secure their clusters.

    More details can be found in the official advisory: GitHub Security Advisory

  • Critical RCE Vulnerability in Kubernetes ingress-nginx (CVE-2025-1974)

    Overview

    A critical security vulnerability has been identified in the Kubernetes ingress-nginx controller, tracked as CVE-2025-1974. This vulnerability allows unauthenticated attackers with access to the pod network to achieve Remote Code Execution (RCE) within the context of the ingress-nginx controller, potentially leading to the disclosure of Kubernetes Secrets across the cluster.

    Technical Details

    The vulnerability stems from the Validating Admission Controller module in the ingress-nginx project. Under certain misconfigured conditions, it is possible for an attacker to inject and execute arbitrary code through this admission controller if they can reach the controller from within the pod network.

    The affected versions include:

    • All versions up to 1.11.4
    • 1.12.0

    This issue was caused by improper isolation or compartmentalization, which corresponds to CWE-653. The underlying attack pattern matches CAPEC-251: Local Code Inclusion.

    CVSS and Severity

    According to the Common Vulnerability Scoring System (CVSS) v3.1, this vulnerability has been assigned a base score of 9.8, indicating a Critical severity level. The vector string is as follows:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This means that the attack is:

    • Remotely exploitable over the network
    • Requires no user interaction
    • Requires no privileges
    • Results in high impact to confidentiality, integrity, and availability

    Impact and Risks

    If exploited, attackers may gain the ability to run arbitrary commands in the controller’s context. Since ingress-nginx controllers commonly have access to all cluster Secrets by default, this could lead to severe data leakage, credential theft, and cluster-wide compromise.

    Security researchers Nir Ohfeld, Ronen Shustin, Sagi Tzadik, and Hillai Ben Sasson were credited with discovering this issue. It was also assessed under the CISA SSVC framework as having:

    • Proof of Concept (PoC) exploitation
    • Automatable potential
    • Total technical impact

    Mitigation and Workaround

    Before applying the official patch, system administrators can mitigate this vulnerability by disabling the Validating Admission Controller in ingress-nginx. However, this may affect some admission control policies, so review your cluster’s configuration accordingly.

    To disable the controller, modify the deployment to remove or comment out the relevant webhook configurations. More details are available on the Kubernetes GitHub issue: GitHub Issue 131009.

    Conclusion

    CVE-2025-1974 highlights the importance of strict isolation and privilege boundaries within Kubernetes controllers. Administrators using ingress-nginx should update to a patched version as soon as it becomes available, and review network access controls within their clusters.