CVE-2025-29778 MEDIUM

CVE-2025-29778: Kyverno ignores subjectRegExp and IssuerRegExp

Vendor Kyverno

Product kyverno

Weakness CWE-285

Published March 24, 2025

Last update March 24, 2025

View on NVD All CVEs

CVSS base score

5.8/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.

Key dates

02Disclosure timeline

March 24, 2025 CVE published

March 24, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-29778

Related vulnerabilities

CVE-2025-29778: Kyverno ignores subjectRegExp and IssuerRegExp

01Description

02Disclosure timeline

03References

04Related CVE