CVE-2025-48710 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-48710 PUBLISHED CVSS 4.099999904632568 MEDIUM

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

EPSS 0.28% · 51.0th percentile

Risk Scores

CVSS v3.1

4.099999904632568

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

EPSS Score

0.28%

51.0th percentile

Affected Products

Vendor	Product	Versions
kro.run	kro	0.1.0, 0.1.0
github.com	kro-run/kro	0.1.0, 0.1.0

Timeline

Jun 4, 2025 CVE Published
Jun 4, 2025 EPSS Score
Jun 4, 2025 PoC Published
Jun 5, 2025 CVE Updated
Jun 13, 2025 Coalition ESS Score
Jun 14, 2025 EPSS Score
Jun 24, 2025 EPSS Score
Jul 4, 2025 EPSS Score
Jul 15, 2025 EPSS Score
Jul 25, 2025 EPSS Score
Aug 4, 2025 EPSS Score
Aug 14, 2025 EPSS Score

References

Open in Interactive Console →