CVE-2025-64432

KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a	Patch
https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b	Patch
https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074	Patch
https://github.com/kubevirt/kubevirt/security/advisories/GHSA-38jw-g2qx-4286	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:kubevirt:kubevirt::::::kubernetes::*
	cpe:2.3:a:kubevirt:kubevirt:1.6.0:-::::kubernetes::*
	cpe:2.3:a:kubevirt:kubevirt:1.6.0:rc0::::kubernetes::*
	cpe:2.3:a:kubevirt:kubevirt:1.6.0:rc1::::kubernetes::*

History

No history.

Information

Published : 2025-11-07 19:16

Updated : 2025-11-25 15:56

NVD link : CVE-2025-64432

Mitre link : CVE-2025-64432

CVE.ORG link : CVE-2025-64432

JSON object : View

Products Affected

kubevirt

kubevirt

CWE

CWE-287

Improper Authentication

CWE-295

Improper Certificate Validation

{"id": "CVE-2025-64432", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2025-11-07T19:16:26.833", "references": [{"url": "https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-38jw-g2qx-4286", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1."}, {"lang": "es", "value": "KubeVirt es un complemento de gesti\u00f3n de m\u00e1quinas virtuales para Kubernetes. Las versiones 1.5.3 e inferiores, y 1.6.0 conten\u00edan una implementaci\u00f3n defectuosa del flujo de autenticaci\u00f3n de la capa de agregaci\u00f3n de Kubernetes que podr\u00eda permitir la elusi\u00f3n de los controles RBAC. Se descubri\u00f3 que el componente virt-API no logra autenticar correctamente al cliente al recibir solicitudes de API a trav\u00e9s de mTLS. En particular, no logra validar el campo CN (Common Name) en los certificados TLS del cliente recibidos contra el conjunto de valores permitidos definidos en el configmap 'extension-apiserver-authentication'. La falta de validaci\u00f3n de ciertos campos en el certificado TLS del cliente puede permitir a un atacante eludir los controles RBAC existentes al comunicarse directamente con el servidor API agregado, suplantando al servidor API de Kubernetes y su componente agregador. Este problema est\u00e1 corregido en las versiones 1.5.3 y 1.6.1."}], "lastModified": "2025-11-25T15:56:30.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "D06A16D0-A19D-4FC9-BBB2-DD155157AD8E", "versionEndExcluding": "1.5.3"}, {"criteria": "cpe:2.3:a:kubevirt:kubevirt:1.6.0:-:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "7AC531A2-1D99-4F6E-8C95-57B3B6B15681"}, {"criteria": "cpe:2.3:a:kubevirt:kubevirt:1.6.0:rc0:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "3A5C8C2B-705D-435E-93A7-0523DC4A97BE"}, {"criteria": "cpe:2.3:a:kubevirt:kubevirt:1.6.0:rc1:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "A6326DB3-2CBC-4B85-94C8-9F2B2B458548"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}