CVE-2025-47281: 
Wolfi vulnerability analysis and mitigation

Kyverno, a policy engine designed for cloud native platform engineering teams, was found to contain a Denial of Service (DoS) vulnerability (CVE-2025-47281) in versions 1.14.1 and below. The vulnerability was discovered on July 23, 2025, and affects the handling of JMESPath variable substitutions (GitHub Advisory, NVD).

The vulnerability exists due to improper handling of JMESPath variable substitutions in the getValueAsStringMap function. When attackers craft expressions using the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ | nonexistentfunction}}), it leads to a nil value being substituted into the policy structure. The subsequent processing by internal functions results in a panic due to a type assertion failure when interface {} is nil, not string. The vulnerability has been assigned a CVSS v3.1 base score of 7.7 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H (GitHub Advisory).

The vulnerability causes crashes in Kyverno worker threads in the admission controller and leads to continuous crashes of the reports controller pod. In Enforce mode, this can result in full admission controller unavailability. The impact includes degraded policy enforcement, inability to create/update resources, and loss of policy reporting visibility (GitHub Advisory).

The vulnerability has been fixed in version 1.14.2. The fix includes proper nil checking before type assertions and uses type switching to safely handle non-string values. Organizations are advised to upgrade to this version or later (GitHub Patch, GitHub Advisory).