CVE-2025-64171: 
vulnerability analysis and mitigation

CVE-2025-64171 is a cross-namespace vulnerability discovered in the MARIN3R operator that affects all versions prior to v0.13.4. The vulnerability was discovered and disclosed on November 4, 2025. The issue affects the DiscoveryServiceCertificate functionality in the MARIN3R operator, specifically impacting Kubernetes deployments using this component (GitHub Advisory, Miggo).

The vulnerability exists in the getIssuerCertificate function of the CertificateProvider struct, located in internal/pkg/reconcilers/operator/discoveryservicecertificate/providers/marin3r/crud.go. The function failed to validate that the namespace of the referenced secret matched the namespace of the DiscoveryServiceCertificate resource, allowing unauthorized cross-namespace access. The issue is classified as CWE-862 (Missing Authorization) (Miggo).

When exploited, this vulnerability allows users with permission to create DiscoveryServiceCertificate resources in one namespace to indirectly read Secrets from other namespaces, effectively bypassing Kubernetes RBAC security boundaries. This represents a significant security breach in the isolation between namespaces (GitHub Advisory).

A patch has been released in version v0.13.4 which adds validation to ensure namespaces match before allowing access to Secrets. As a temporary workaround, organizations are advised to restrict DiscoveryServiceCertificate create permissions to cluster administrators only until the patched version can be deployed (GitHub Advisory).