VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Mar 24, 2025· Updated Mar 24, 2025

Kyverno ignores subjectRegExp and IssuerRegExp

CVE-2025-29778

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/kyverno/kyvernoGo
>= 1.13.0, < 1.14.0-alpha.11.14.0-alpha.1

Affected products

1

Patches

1
8777672fb17b

changes if condition to check for RegExp field (#12237)

https://github.com/kyverno/kyvernoMohd KamaalFeb 28, 2025via ghsa
commit
1 file changed · +1 1
  • pkg/cosign/cosign.go+1 1 modified
    @@ -534,7 +534,7 @@ func extractDigest(imgRef string, payload []payload.SimpleContainerImage) (strin
 }
 
 func matchSignatures(signatures []oci.Signature, subject, subjectRegExp, issuer, issuerRegExp string, extensions map[string]string) error {
-	if subject == "" && issuer == "" && len(extensions) == 0 {
+	if subject == "" && issuer == "" && subjectRegExp == "" && issuerRegExp == "" && len(extensions) == 0 {
 		return nil
 	}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.