VDB
CVE-2025-48710
CVE-2025-48710
PUBLISHED
CVSS 4.099999904632568 MEDIUM
kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.
EPSS 0.75% · 73.5th percentile
Risk Scores
CVSS 3.1
4.099999904632568
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
EPSS Score
0.75%
73.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| kro.run | kro | 0.1.0, 0.1.0 |
| github.com | kro-run/kro | 0.1.0, 0.1.0 |
Exploit Intelligence
Timeline
- Jun 4, 2025 CVE Published
- Jun 4, 2025 EPSS Score
- Jun 4, 2025 PoC Published
- Jun 5, 2025 CVE Updated
- Jun 13, 2025 Coalition ESS Score
- Jun 15, 2025 EPSS Score
- Jun 25, 2025 EPSS Score
- Jul 6, 2025 EPSS Score
- Jul 17, 2025 EPSS Score
- Jul 27, 2025 EPSS Score
- Aug 7, 2025 EPSS Score
- Aug 18, 2025 EPSS Score
References
- https://github.com/kro-run/kro/compare/v0.2.1...v0.2.2 url
- https://orca.security/resources/blog/kubernetes-crd-abstraction-risks-kro/ url
- https://nvd.nist.gov/vuln/detail/CVE-2025-48710 advisory
- https://github.com/kro-run/kro package
- https://orca.security/resources/blog/kubernetes-crd-abstraction-risks-kro url