Wiz
Vulnerability DatabaseCVE-2025-46342

CVE-2025-46342
Wolfi vulnerability analysis and mitigation

Overview

Kyverno, a policy engine designed for cloud native platform engineering teams, was found to have a critical vulnerability (CVE-2025-46342) affecting versions prior to 1.13.5 and 1.14.0. The vulnerability was discovered by anbrsap and publicly disclosed on April 29, 2025. The issue stems from a missing error propagation in the GetNamespaceSelectorsFromNamespaceLister function within pkg/utils/engine/labels.go, which affects policy rules using namespace selector(s) in their match statements during admission review request processing (GitHub Advisory).

Technical details

The vulnerability occurs when handling admission webhooks, where the GetNamespaceSelectorsFromNamespaceLister function fails to propagate errors when retrieving namespace object labels from a NamespaceLister, instead returning an empty label map. This happens particularly when the underlying SharedIndexInformer hasn't updated its cache. The issue has been assigned a CVSS v3.1 base score of 8.5 (High), with attack vector: Network, attack complexity: High, privileges required: Low, user interaction: None, scope: Changed, and impact metrics all rated as High (GitHub Advisory, NVD).

Impact

The vulnerability allows security-critical mutations and validations to be bypassed, potentially enabling attackers with Kubernetes API access to perform malicious operations. When triggered, Kyverno processes admission review requests as if certain policy rules don't exist, leading to Kubernetes API requests being accepted without applying necessary security-relevant patches and validations. This particularly affects administrators attempting to enforce cluster security through Kyverno policies while allowing less privileged users or service accounts to create/update/delete resources (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in Kyverno versions 1.13.5 and 1.14.0. The fix involves modifying the GetNamespaceSelectorsFromNamespaceLister function to return an error instead of an empty label map when it cannot retrieve the namespace object. This causes admission webhook processing to fail, leading Kubernetes to fail the API request if the policy's failure policy is set to Fail (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related Wolfi vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-66471HIGH8.9
  • PythonPython
  • py3-urllib3
NoYesDec 05, 2025
CVE-2025-66418HIGH8.9
  • PythonPython
  • python-urllib3
NoYesDec 05, 2025
CVE-2025-66564HIGH7.5
  • Datadog AgentDatadog Agent
  • cosign
NoYesDec 04, 2025
CVE-2025-66490MEDIUM6.9
  • WolfiWolfi
  • traefik-3
NoYesDec 09, 2025
CVE-2025-66491MEDIUM5.9
  • WolfiWolfi
  • traefik
NoYesDec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo