CVE-2025-55205: 
vulnerability analysis and mitigation

CVE-2025-55205 is a critical namespace label injection vulnerability discovered in Capsule v0.10.3 and earlier versions, affecting the multi-tenancy and policy-based framework for Kubernetes. The vulnerability was disclosed on August 18, 2025, and allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system, default, capsule-system). This vulnerability affects organizations running Capsule v0.10.3 or earlier, particularly enterprises and cloud service providers offering Kubernetes-as-a-Service with Capsule (NVD, SecurityOnline).

The vulnerability originates from Capsule's namespace validation webhook logic, specifically in pkg/webhook/namespace/validation/patch.go. The critical flaw lies in a conditional check that only validates tenant ownership when a namespace already has a tenant label. Since system namespaces like kube-system and default do not have tenant labels by default, Capsule fails to protect them, allowing attackers to inject arbitrary labels unchecked. The vulnerability has been assigned a CVSS v3.1 score of 9.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (GitHub Advisory).

The vulnerability has severe consequences for organizations running multi-tenant Kubernetes clusters. It enables multi-tenant isolation bypass, allowing attackers to break tenant boundaries and access other tenants' resources. The vulnerability can lead to privilege escalation, data exfiltration of sensitive information from secrets and configmaps, resource quota bypass, and circumvention of security policies. Real-world impacts include potential extraction of kube-system secrets, modification of system configurations, and cross-tenant data theft (SecurityOnline).

The vulnerability has been fixed in Capsule version 0.10.4. Administrators are strongly advised to update their Capsule installations to this version as soon as possible. No alternative workarounds have been provided in the advisory (NVD).