CVE-2025-48710 MEDIUM

CVE-2025-48710

Vendor Kro.run
Product kro
Weakness CWE-441
Published June 4, 2025
Last update June 4, 2025

CVSS base score

4.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

Key dates

02Disclosure timeline

June 4, 2025 CVE published
June 4, 2025 Record updated