CVE-2025-48710

medium

Description

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

References

https://orca.security/resources/blog/kubernetes-crd-abstraction-risks-kro/

https://github.com/kro-run/kro/compare/v0.2.1...v0.2.2

Details

Source: Mitre, NVD

Published: 2025-06-04

Updated: 2025-06-04

Named Vulnerability: unknown

Risk Information

CVSS v2

Base Score: 3.3

Vector: CVSS2#AV:N/AC:L/Au:M/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 4.1

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00075