Unchecked fieldpath index in Composition's patches can lead to arbitrary memory allocation in crossplane
Description
crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. In affected versions an already highly privileged user able to create or update Compositions can specify an arbitrarily high index in a patch's ToFieldPath, which could lead to excessive memory usage once such Composition is selected for a Composite resource. Compositions allow users to specify patches inserting elements into arrays at an arbitrary index. When a Composition is selected for a Composite Resource, patches are evaluated and if a specified index is greater than the current size of the target slice, Crossplane will grow that slice up to the specified index, which could lead to an excessive amount of memory usage and therefore the Pod being OOM-Killed. The index is already capped to the maximum value for a uint32 (4294967295) when parsed, but that is still an unnecessarily large value. This issue has been addressed in versions 1.11.2, 1.10.3, and 1.9.2. Users are advised to upgrade. Users unable to upgrade can restrict write privileges on Compositions to only admin users as a workaround.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An attacker with write privileges on Compositions can cause excessive memory allocation and OOM-kill the Crossplane pod by specifying a large patch index.
Vulnerability
Overview
CVE-2023-27484 is a resource exhaustion vulnerability in crossplane-runtime, a set of Go libraries used to build Kubernetes controllers in Crossplane and its related stacks. The root cause lies in how Compositions handle array patch indexes: When a Composition specifies a patch that inserts an element into a target slice at an arbitrary index, the code grows the slice to accommodate that index. An attacker who can create or update a Composition can set this index to an arbitrarily high value (up to the uint32 maximum of 4294967295). Even though the index is capped at parse time, the resulting slice growth can consume excessive memory, leading to an out-of-memory (OOM) kill of the Crossplane pod. [1][3]
Attack
Surface and Exploitation
Exploitation requires a highly privileged attacker who already has the ability to create or update Composition resources in the Crossplane cluster. Such a user can craft a Composition with a patch ToFieldPath specifying an extremely high array index. Once this Composition is selected for a Composite Resource, the patch evaluation triggers unconditional slice growth, causing memory allocation proportional to the index value. The vulnerability does not require any additional authentication beyond the existing write permissions on Compositions. [1][3]
Impact
A successful attack causes the Crossplane pod to be OOM-killed, resulting in a denial of service (DoS) of the Crossplane control plane. This can disrupt the management of cloud resources orchestrated by Crossplane. No data confidentiality or integrity compromise is described, but availability is directly affected. [1]
Mitigation
Crossplane has released patched versions 1.11.2, 1.10.3, and 1.9.2 that address the issue by properly capping the patch index. Users are advised to upgrade to these or later versions. For users who cannot immediately upgrade, a workaround is to restrict write privileges on Composition resources to only admin users, thereby limiting the attack surface. [1][3]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/crossplane/crossplaneGo | < 1.9.2 | 1.9.2 |
github.com/crossplane/crossplaneGo | >= 1.10.0, < 1.10.3 | 1.10.3 |
github.com/crossplane/crossplaneGo | >= 1.11.0, < 1.11.2 | 1.11.2 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/crossplanepkg:apk/chainguard/crossplane-crankpkg:apk/chainguard/crossplane-xfnpkg:apk/wolfi/crossplanepkg:apk/wolfi/crossplane-crankpkg:apk/wolfi/crossplane-xfnpkg:golang/github.com/crossplane/crossplane
< 0+ 6 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.9.2
- crossplane/crossplanev5Range: < 1.9.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-v829-x6hh-cqfqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-27484ghsaADVISORY
- github.com/crossplane/crossplane/security/advisories/GHSA-v829-x6hh-cqfqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.