CVE-2025-4563: 
Linux Debian vulnerability analysis and mitigation

A vulnerability (CVE-2025-4563) exists in the Kubernetes NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. The vulnerability was discovered and reported by @amitschendel, affecting kube-apiserver versions v1.32.0 through v1.32.5 and v1.33.0 through v1.33.1. The issue occurs when the DynamicResourceAllocation feature gate is enabled, where the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation (Kubernetes Security).

The vulnerability has been assigned a Low severity rating with a CVSS score of 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). The technical issue lies in the NodeRestriction admission controller's validation process, specifically when handling pod creation with dynamic resource allocation. The vulnerability only affects clusters using both the DynamicResourceAllocation feature (which is disabled by default) and static pods together (Kubernetes Security).

When exploited, this vulnerability allows a compromised node to create mirror pods that can access unauthorized dynamic resources, potentially leading to privilege escalation. The impact is limited to environments where both the DynamicResourceAllocation feature is enabled and static pods are in use (Kubernetes Security).

The vulnerability has been patched in kube-apiserver versions >= v1.32.6 and >= v1.33.2. For immediate mitigation, if not actively using the DynamicResourceAllocation features, it is recommended to disable the feature on the API server. This is considered the safest and simplest mitigation action (Kubernetes Security).

The vulnerability was addressed through a coordinated effort by the Kubernetes Security Response Committee, with contributions from security experts including Patrick Ohly, Jordan Liggitt, Balaji, Rita Zhang, and Marko Mudrinić (Kubernetes Security).