DEBIAN-CVE-2025-4563

DEBIAN-CVE-2025-4563 PUBLISHED CVSS 2.700000047683716 LOW

A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.

Risk Scores

CVSS 3.1

2.700000047683716

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Affected Products

Vendor	Product	Versions
Debian:14	kubernetes	0, 0
Debian:11	kubernetes	0, 0
Debian:12	kubernetes	0, 0
Debian:13	kubernetes	0, 0

Timeline

Jun 23, 2025 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-4563 advisory

Open in Interactive Console →