Wiz
Vulnerability DatabaseCVE-2025-29778

CVE-2025-29778
Wolfi vulnerability analysis and mitigation

Overview

Kyverno, a policy engine designed for cloud native platform engineering teams, contains a vulnerability (CVE-2025-29778) where it ignores subjectRegExp and IssuerRegExp fields while verifying artifact's signatures in keyless mode. This vulnerability was discovered and disclosed on March 24, 2025, affecting versions prior to 1.14.0-alpha.1. The issue allows attackers to deploy Kubernetes resources with artifacts signed by unexpected certificates (GitHub Advisory).

Technical details

The vulnerability stems from a logic error in the signature verification process where Kyverno only checks subject and issuer fields when verifying an artifact's signature, while ignoring the subjectRegExp and issuerRegExp fields. This oversight occurs in the matchSignatures function of the cosign package. The vulnerability has been assigned a CVSS v3.1 score of 5.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N, indicating network attack vector with high complexity and high privileges required (GitHub Advisory).

Impact

The vulnerability enables attackers to bypass part of the verification mechanism, potentially leading to the deployment of unauthorized Kubernetes resources. This could result in a full compromise of the Kubernetes cluster if exploited successfully. The impact is particularly significant in environments where certificate validation is crucial for maintaining security boundaries (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in version 1.14.0-alpha.1. Users are strongly advised to upgrade to this version or later to address the security issue. The fix involves modifying the condition check in the matchSignatures function to properly validate both subjectRegExp and issuerRegExp fields (GitHub Commit).

Community reactions

The vulnerability was initially discovered during testing of image sign verification with keyless signing, and was discussed in the Kubernetes Slack community. The issue was subsequently verified and fixed by the Kyverno development team, who acknowledged its significance as a security problem that could bypass part of the verification mechanism (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related Wolfi vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-15514HIGH8.7
  • WolfiWolfi
  • cpe:2.3:a:ollama:ollama
NoNoJan 12, 2026
CVE-2026-21860MEDIUM6.3
  • PythonPython
  • mlflow
NoYesJan 08, 2026
CVE-2026-22691LOW2.7
  • PythonPython
  • pypdf
NoYesJan 10, 2026
CVE-2026-22690LOW2.7
  • PythonPython
  • pypdf
NoYesJan 10, 2026
CVE-2026-22784LOW2.3
  • WolfiWolfi
  • lychee
NoYesJan 12, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo