CVE-2025-9708: 
C# vulnerability analysis and mitigation

A medium-severity vulnerability (CVE-2025-9708) was discovered in the Kubernetes C# client, affecting all versions prior to v17.0.14. The vulnerability exists in the certificate validation logic where the client accepts properly constructed certificates from any Certificate Authority (CA) without properly verifying the trust chain. This security flaw was disclosed on September 16, 2025, and received a CVSS score of 6.8 (Medium) (NVD, Security Online).

The vulnerability stems from improper certificate validation (CWE-295) in custom CA mode. When the Kubernetes C# client connects to a Kubernetes API server over TLS/HTTPS with custom CA certificates in the kubeconfig file, it fails to properly verify the trust chain of presented certificates. The vulnerability has been assigned a CVSS v3.1 score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, indicating network accessibility with high attack complexity, no privileges required, and user interaction required (Kubernetes Issue).

The vulnerability enables malicious actors to present forged certificates that could be accepted as valid by the client. This can lead to man-in-the-middle (MITM) attacks where attackers can intercept or manipulate communication with the Kubernetes API server. Additionally, it enables API server impersonation, allowing unauthorized access to sensitive data and potential manipulation of cluster operations. The risk is particularly significant for organizations operating Kubernetes clusters over untrusted networks (Kubernetes Announce).

The primary mitigation is to upgrade to Kubernetes C# client version 17.0.14 or later. For organizations unable to update immediately, alternative mitigations include moving CA certificates into the system trust store instead of specifying them in the kubeconfig file, though this may introduce new risks as all processes on the system will trust certificates signed by that CA. Organizations can also disable custom CA and add the CA to the machine's trusted root store (Kubernetes Issue).

The vulnerability was reported by @elliott-beach and addressed by a team including Boshi Lian (@tg123), Brendan Burns (@brendandburns), and Rita Zhang (@ritazh). The Kubernetes Security Response Committee coordinated the disclosure and patching process (Kubernetes Issue).