Low severity2.7GHSA Advisory· Published Jun 23, 2025· Updated Jun 17, 2026
CVE-2025-4563
CVE-2025-4563
Description
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/kubernetesGo | >= 1.32.0, < 1.32.6 | 1.32.6 |
k8s.io/kubernetesGo | >= 1.33.0, < 1.33.2 | 1.33.2 |
Affected products
184- Range: >= 1.33.0, <= 1.33.1
- osv-coords183 versionspkg:apk/chainguard/argo-cd-3.0pkg:apk/chainguard/argo-cd-3.0-compatpkg:apk/chainguard/argo-cd-3.0-iamguarded-compatpkg:apk/chainguard/argo-cd-3.0-repo-serverpkg:apk/chainguard/argo-cd-3.1pkg:apk/chainguard/argo-cd-3.1-compatpkg:apk/chainguard/argo-cd-3.1-iamguarded-compatpkg:apk/chainguard/argo-cd-3.1-repo-serverpkg:apk/chainguard/argo-cd-fips-3.0pkg:apk/chainguard/argo-cd-fips-3.0-compatpkg:apk/chainguard/argo-cd-fips-3.0-iamguarded-compatpkg:apk/chainguard/argo-cd-fips-3.0-repo-serverpkg:apk/chainguard/argo-cd-fips-3.1pkg:apk/chainguard/argo-cd-fips-3.1-compatpkg:apk/chainguard/argo-cd-fips-3.1-iamguarded-compatpkg:apk/chainguard/argo-cd-fips-3.1-repo-serverpkg:apk/chainguard/azuredisk-csi-1.32pkg:apk/chainguard/azuredisk-csi-1.32-compatpkg:apk/chainguard/azuredisk-csi-1.33pkg:apk/chainguard/azuredisk-csi-1.33-compatpkg:apk/chainguard/azuredisk-csi-fips-1.32pkg:apk/chainguard/azuredisk-csi-fips-1.33pkg:apk/chainguard/azurefile-csi-1.33pkg:apk/chainguard/azurefile-csi-1.33-compatpkg:apk/chainguard/azurefile-csi-fips-1.32pkg:apk/chainguard/azurefile-csi-fips-1.32-compatpkg:apk/chainguard/azurefile-csi-fips-1.33pkg:apk/chainguard/azurefile-csi-fips-1.33-compatpkg:apk/chainguard/blob-csi-1.26pkg:apk/chainguard/blob-csi-1.26-compatpkg:apk/chainguard/blob-csi-fips-1.26pkg:apk/chainguard/blob-csi-fips-1.26-compatpkg:apk/chainguard/calico-3.30pkg:apk/chainguard/calico-apiserver-3.30pkg:apk/chainguard/calico-apiserver-compat-3.30pkg:apk/chainguard/calico-apiserver-fips-3.30pkg:apk/chainguard/calico-app-policy-3.30pkg:apk/chainguard/calico-app-policy-fips-3.30pkg:apk/chainguard/calico-cni-3.30pkg:apk/chainguard/calico-cni-compat-3.30pkg:apk/chainguard/calico-cni-compat-fips-3.30pkg:apk/chainguard/calico-cni-fips-3.30pkg:apk/chainguard/calicoctl-3.30pkg:apk/chainguard/calicoctl-fips-3.30pkg:apk/chainguard/calico-felix-3.30pkg:apk/chainguard/calico-felix-fips-3.30pkg:apk/chainguard/calico-fips-3.30pkg:apk/chainguard/calico-goldmane-3.30pkg:apk/chainguard/calico-goldmane-fips-3.30pkg:apk/chainguard/calico-key-cert-provisioner-3.30pkg:apk/chainguard/calico-key-cert-provisioner-fips-3.30pkg:apk/chainguard/calico-kube-controllers-3.30pkg:apk/chainguard/calico-kube-controllers-fips-3.30pkg:apk/chainguard/calico-node-3.30pkg:apk/chainguard/calico-node-fips-3.30pkg:apk/chainguard/calico-pod2daemon-3.30pkg:apk/chainguard/calico-pod2daemon-fips-3.30pkg:apk/chainguard/calico-pod2daemon-flexvol-compat-3.30pkg:apk/chainguard/calico-typha-client-3.30pkg:apk/chainguard/calico-typha-client-fips-3.30pkg:apk/chainguard/calico-typhad-3.30pkg:apk/chainguard/calico-typhad-fips-3.30pkg:apk/chainguard/calico-whisker-3.30pkg:apk/chainguard/calico-whisker-backend-3.30pkg:apk/chainguard/calico-whisker-backend-fips-3.30pkg:apk/chainguard/calico-whisker-fips-3.30pkg:apk/chainguard/cloud-provider-gcp-cloud-controller-managerpkg:apk/chainguard/cloud-provider-gcp-cloud-controller-manager-compatpkg:apk/chainguard/cloud-provider-gcp-cloud-controller-manager-fipspkg:apk/chainguard/cloud-provider-gcp-cloud-controller-manager-fips-compatpkg:apk/chainguard/cluster-autoscaler-1.32pkg:apk/chainguard/cluster-autoscaler-1.32-compatpkg:apk/chainguard/cluster-autoscaler-fips-1.32pkg:apk/chainguard/cluster-autoscaler-fips-1.32-compatpkg:apk/chainguard/docker-machine-driver-harvesterpkg:apk/chainguard/emissarypkg:apk/chainguard/emissary-apiextpkg:apk/chainguard/emissary-fipspkg:apk/chainguard/emissary-oci-entrypointpkg:apk/chainguard/kubernetes-csi-driver-hostpathpkg:apk/chainguard/longhorn-share-manager-1.8pkg:apk/chainguard/longhorn-share-manager-1.8-compatpkg:apk/chainguard/longhorn-share-manager-fips-1.8pkg:apk/chainguard/longhorn-share-manager-fips-1.8-compatpkg:apk/chainguard/mesosphere-vsphere-csipkg:apk/chainguard/mesosphere-vsphere-csi-driverpkg:apk/chainguard/mesosphere-vsphere-csi-syncerpkg:apk/chainguard/node-feature-discovery-0.17pkg:apk/chainguard/node-feature-discovery-fips-0.17pkg:apk/chainguard/node-feature-discovery-fips-0.17-gcpkg:apk/chainguard/node-feature-discovery-fips-0.17-kubectl-nfdpkg:apk/chainguard/node-feature-discovery-fips-0.17-masterpkg:apk/chainguard/node-feature-discovery-fips-0.17-topology-updaterpkg:apk/chainguard/node-feature-discovery-fips-0.17-workerpkg:apk/chainguard/py3.10-ambassadorpkg:apk/chainguard/py3.11-ambassadorpkg:apk/chainguard/py3.12-ambassadorpkg:apk/chainguard/py3.13-ambassadorpkg:apk/chainguard/rancher-2.11pkg:apk/chainguard/rancher-2.12pkg:apk/chainguard/rancher-agent-2.11pkg:apk/chainguard/rancher-agent-2.12pkg:apk/chainguard/rancher-fleetpkg:apk/chainguard/rancher-fleet-agentpkg:apk/chainguard/rancher-fleet-agent-fipspkg:apk/chainguard/rancher-fleet-clipkg:apk/chainguard/rancher-fleet-cli-fipspkg:apk/chainguard/rancher-fleet-controllerpkg:apk/chainguard/rancher-fleet-controller-fipspkg:apk/chainguard/rancher-fleet-fipspkg:apk/chainguard/rancher-fleet-fips-agentpkg:apk/chainguard/rancher-fleet-termination-logpkg:apk/chainguard/rancher-system-agentpkg:apk/chainguard/vclusterpkg:apk/chainguard/vcluster-clipkg:apk/chainguard/vcluster-syncerpkg:apk/chainguard/yunikorn-k8shimpkg:apk/chainguard/yunikorn-k8shim-compatpkg:apk/chainguard/yunikorn-k8shim-fipspkg:apk/wolfi/argo-cd-3.0pkg:apk/wolfi/argo-cd-3.0-compatpkg:apk/wolfi/argo-cd-3.0-repo-serverpkg:apk/wolfi/argo-cd-3.1pkg:apk/wolfi/argo-cd-3.1-compatpkg:apk/wolfi/argo-cd-3.1-repo-serverpkg:apk/wolfi/azuredisk-csi-1.33pkg:apk/wolfi/azuredisk-csi-1.33-compatpkg:apk/wolfi/azurefile-csi-1.33pkg:apk/wolfi/azurefile-csi-1.33-compatpkg:apk/wolfi/blob-csi-1.26pkg:apk/wolfi/blob-csi-1.26-compatpkg:apk/wolfi/calico-3.30pkg:apk/wolfi/calico-apiserver-3.30pkg:apk/wolfi/calico-apiserver-compat-3.30pkg:apk/wolfi/calico-app-policy-3.30pkg:apk/wolfi/calico-cni-3.30pkg:apk/wolfi/calico-cni-compat-3.30pkg:apk/wolfi/calicoctl-3.30pkg:apk/wolfi/calico-felix-3.30pkg:apk/wolfi/calico-goldmane-3.30pkg:apk/wolfi/calico-key-cert-provisioner-3.30pkg:apk/wolfi/calico-kube-controllers-3.30pkg:apk/wolfi/calico-node-3.30pkg:apk/wolfi/calico-pod2daemon-3.30pkg:apk/wolfi/calico-pod2daemon-flexvol-compat-3.30pkg:apk/wolfi/calico-typha-client-3.30pkg:apk/wolfi/calico-typhad-3.30pkg:apk/wolfi/calico-whisker-3.30pkg:apk/wolfi/calico-whisker-backend-3.30pkg:apk/wolfi/cloud-provider-gcp-cloud-controller-managerpkg:apk/wolfi/cloud-provider-gcp-cloud-controller-manager-compatpkg:apk/wolfi/cluster-autoscaler-1.32pkg:apk/wolfi/cluster-autoscaler-1.32-compatpkg:apk/wolfi/docker-machine-driver-harvesterpkg:apk/wolfi/emissarypkg:apk/wolfi/emissary-apiextpkg:apk/wolfi/emissary-oci-entrypointpkg:apk/wolfi/kubernetes-csi-driver-hostpathpkg:apk/wolfi/mesosphere-vsphere-csipkg:apk/wolfi/mesosphere-vsphere-csi-driverpkg:apk/wolfi/mesosphere-vsphere-csi-syncerpkg:apk/wolfi/node-feature-discovery-0.17pkg:apk/wolfi/py3.10-ambassadorpkg:apk/wolfi/py3.11-ambassadorpkg:apk/wolfi/py3.12-ambassadorpkg:apk/wolfi/py3.13-ambassadorpkg:apk/wolfi/rancher-2.11pkg:apk/wolfi/rancher-2.12pkg:apk/wolfi/rancher-agent-2.11pkg:apk/wolfi/rancher-agent-2.12pkg:apk/wolfi/rancher-fleetpkg:apk/wolfi/rancher-fleet-agentpkg:apk/wolfi/rancher-fleet-clipkg:apk/wolfi/rancher-fleet-controllerpkg:apk/wolfi/rancher-fleet-termination-logpkg:apk/wolfi/rancher-system-agentpkg:apk/wolfi/vclusterpkg:apk/wolfi/vcluster-clipkg:apk/wolfi/vcluster-syncerpkg:apk/wolfi/yunikorn-k8shimpkg:apk/wolfi/yunikorn-k8shim-compatpkg:golang/k8s.io/kubernetespkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 3.0.6-r2+ 182 more
- (no CPE)range: < 3.0.6-r2
- (no CPE)range: < 3.0.6-r2
- (no CPE)range: < 3.0.6-r2
- (no CPE)range: < 3.0.6-r2
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.0.9-r1
- (no CPE)range: < 3.0.9-r1
- (no CPE)range: < 3.0.9-r1
- (no CPE)range: < 3.0.9-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 1.32.7-r2
- (no CPE)range: < 1.32.7-r2
- (no CPE)range: < 1.33.1-r2
- (no CPE)range: < 1.33.1-r2
- (no CPE)range: < 1.32.7-r2
- (no CPE)range: < 1.33.1-r2
- (no CPE)range: < 1.33.2-r1
- (no CPE)range: < 1.33.2-r1
- (no CPE)range: < 1.32.4-r2
- (no CPE)range: < 1.32.4-r2
- (no CPE)range: < 1.33.2-r1
- (no CPE)range: < 1.33.2-r1
- (no CPE)range: < 1.26.5-r51
- (no CPE)range: < 1.26.5-r51
- (no CPE)range: < 1.26.5-r51
- (no CPE)range: < 1.26.5-r51
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 33.1.1-r2
- (no CPE)range: < 33.1.1-r2
- (no CPE)range: < 33.1.1-r2
- (no CPE)range: < 33.1.1-r2
- (no CPE)range: < 1.32.1-r6
- (no CPE)range: < 1.32.1-r6
- (no CPE)range: < 1.32.1-r5
- (no CPE)range: < 1.32.1-r5
- (no CPE)range: < 1.0.6-r4
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 3.10.0-r3
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 1.17.0-r1
- (no CPE)range: < 1.8.2-r2
- (no CPE)range: < 1.8.2-r2
- (no CPE)range: < 1.8.2-r3
- (no CPE)range: < 1.8.2-r3
- (no CPE)range: < 3.5.0-r1
- (no CPE)range: < 3.5.0-r1
- (no CPE)range: < 3.5.0-r1
- (no CPE)range: < 0.17.3-r3
- (no CPE)range: < 0.17.3-r2
- (no CPE)range: < 0.17.3-r2
- (no CPE)range: < 0.17.3-r2
- (no CPE)range: < 0.17.3-r2
- (no CPE)range: < 0.17.3-r2
- (no CPE)range: < 0.17.3-r2
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 2.11.2-r2
- (no CPE)range: < 2.12.1-r0
- (no CPE)range: < 2.11.2-r2
- (no CPE)range: < 2.12.1-r0
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.3.12-r3
- (no CPE)range: < 0.26.0-r1
- (no CPE)range: < 0.26.0-r1
- (no CPE)range: < 0.26.0-r1
- (no CPE)range: < 1.7.0-r1
- (no CPE)range: < 1.7.0-r1
- (no CPE)range: < 1.7.0-r1
- (no CPE)range: < 3.0.6-r2
- (no CPE)range: < 3.0.6-r2
- (no CPE)range: < 3.0.6-r2
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 1.33.1-r2
- (no CPE)range: < 1.33.1-r2
- (no CPE)range: < 1.33.2-r1
- (no CPE)range: < 1.33.2-r1
- (no CPE)range: < 1.26.5-r51
- (no CPE)range: < 1.26.5-r51
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 3.30.2-r1
- (no CPE)range: < 33.1.1-r2
- (no CPE)range: < 33.1.1-r2
- (no CPE)range: < 1.32.1-r6
- (no CPE)range: < 1.32.1-r6
- (no CPE)range: < 1.0.6-r4
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 1.17.0-r1
- (no CPE)range: < 3.5.0-r1
- (no CPE)range: < 3.5.0-r1
- (no CPE)range: < 3.5.0-r1
- (no CPE)range: < 0.17.3-r3
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 3.10.0-r6
- (no CPE)range: < 2.11.2-r2
- (no CPE)range: < 2.12.1-r0
- (no CPE)range: < 2.11.2-r2
- (no CPE)range: < 2.12.1-r0
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.12.4-r1
- (no CPE)range: < 0.3.12-r3
- (no CPE)range: < 0.26.0-r1
- (no CPE)range: < 0.26.0-r1
- (no CPE)range: < 0.26.0-r1
- (no CPE)range: < 1.7.0-r1
- (no CPE)range: < 1.7.0-r1
- (no CPE)range: >= 1.32.0, < 1.32.6
- (no CPE)range: < 0.0.20250730T213748-1.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-hj2p-8wj8-pfq4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-4563ghsaADVISORY
- github.com/kubernetes/kubernetes/issues/132151nvdWEB
- github.com/kubernetes/kubernetes/pull/131844ghsaWEB
- github.com/kubernetes/kubernetes/pull/131875ghsaWEB
- github.com/kubernetes/kubernetes/pull/131876ghsaWEB
- groups.google.com/g/kubernetes-security-announce/c/Zv84LMRuvMQnvdWEB
- pkg.go.dev/vuln/GO-2025-3774ghsaWEB
News mentions
0No linked articles in our index yet.