Description

Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ | non_existent_function }}). This leads to a nil value being substituted into the policy structure. Subsequent processing by internal functions, specifically getValueAsStringMap, which expect string values, results in a panic due to a type assertion failure (interface {} is nil, not string). This crashes Kyverno worker threads in the admission controller and causes continuous crashes of the reports controller pod. This is fixed in version 1.14.2.

INFO

Published Date :

2025-07-23T20:35:21.199Z

Last Modified :

2025-07-23T20:49:31.882Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-47281 vulnerability.

Vendors Products
Kyverno
  • Kyverno
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-47281.

URL Resource
https://github.com/kyverno/kyverno/commit/cbd7d4ca24de1c55396fc3295e9fc3215832be7c cve-icon cve-icon
https://github.com/kyverno/kyverno/security/advisories/GHSA-r5p3-955p-5ggq cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact