CVE-2025-47281 — Vulnetix

CVE-2025-47281 PUBLISHED

Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ | non_existent_function }}). This leads to a nil value being substituted into the policy structure. Subsequent processing by internal functions, specifically getValueAsStringMap, which expect string values, results in a panic due to a type assertion failure (interface {} is nil, not string). This crashes Kyverno worker threads in the admission controller and causes continuous crashes of the reports controller pod. This is fixed in version 1.14.2.

EPSS 0.12% · 31.1th percentile

Risk Scores

EPSS Score

0.12%

31.1th percentile

Affected Products

Vendor	Product	Versions
Bitnami	kyverno	0
Bitnami	kyverno	0

Exploit Intelligence

CIRCL seen: CVE-2025-47281 (circl-sighting)
https://github.com/kyverno/kyverno/commit/cbd7d4ca24de1c55396fc3295e9fc3215832be7c (circl)
https://github.com/kyverno/kyverno/security/advisories/GHSA-r5p3-955p-5ggq (cve.org)

Timeline

Jan 21, 1970 Security Advisory
Jul 22, 2025 CVE Published
Jul 23, 2025 CVE Updated
Jul 23, 2025 Coalition ESS Score
Jul 24, 2025 EPSS Score
Jul 24, 2025 PoC Published
Jul 25, 2025 Coalition ESS Score
Aug 2, 2025 EPSS Score
Aug 5, 2025 Coalition ESS Score
Aug 11, 2025 EPSS Score
Aug 20, 2025 EPSS Score
Aug 22, 2025 Coalition ESS Score

References

Open in Interactive Console →