CVE-2025-46599: 
Wolfi vulnerability analysis and mitigation

CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change that results in ReadOnlyPort being set to 10255 in certain situations. This vulnerability was discovered in April 2025 and affects K3s version 1.32 installations. The issue stems from a configuration change where the default behavior of a K3s online installation might allow unauthenticated access to this port, potentially exposing sensitive credentials (NVD, MITRE).

The vulnerability arose from switching from passing kubelet configuration via deprecated CLI flags to generating structured configuration using the v1beta1.KubeletConfiguration struct. Due to the omitempty tag in the ReadOnlyPort field of the Kubernetes golang struct, when the field is set to 0, it is dropped during YAML marshaling, causing the kubelet to revert to its default value of 10255. This behavior differs from previous K3s releases where the kubelet port was set to 0 by default (K3s Issue). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.8 MEDIUM (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) (NVD).

The vulnerability exposes sensitive information through the kubelet's read-only port (10255), which allows unauthenticated access. This exposure includes sensitive data such as passwords in environment variables, tokens, and access credentials. Both the k3s server and agent are affected by this default configuration, potentially compromising cluster security (BUG Report).

The issue can be mitigated by specifying the server & agent parameter '--kubelet-arg read-only-port=0' when starting K3s. This can be done either through the command line or by adding 'kubelet-arg: ["read-only-port=0"]' in the config.yaml file. A permanent fix has been implemented in version 1.32.4-rc1+k3s1 by setting the kubelet read-only-port via CLI flag (K3s Commit).