CVE-2025-47281: 
Wolfi vulnerability analysis and mitigation

Kyverno, a policy engine designed for cloud native platform engineering teams, contains a Denial of Service (DoS) vulnerability (CVE-2025-47281) in versions 1.14.1 and below. The vulnerability was discovered in July 2025 and stems from improper handling of JMESPath variable substitutions (GitHub Advisory).

The vulnerability exists in the getValueAsStringMap function within pkg/engine/wildcards/wildcards.go. Attackers can craft expressions using the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ | nonexistentfunction}}). This leads to a nil value being substituted into the policy structure, causing a type assertion failure when internal functions expect string values. The vulnerability has a CVSS v3.1 base score of 7.7 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H (GitHub Advisory, NVD).

The vulnerability results in crashes of Kyverno worker threads in the admission controller and continuous crashes of the reports controller pod. In Enforce mode, this can lead to full admission controller unavailability, while in Audit mode it causes service degradation. The impact affects both the admission controller's ability to process requests and the reports controller's functionality for policy reporting (GitHub Advisory).

The vulnerability has been fixed in version 1.14.2. Users are recommended to upgrade to this version or later. The fix includes proper nil checking before type assertions and safe handling of non-string values in the affected functions (GitHub Advisory).