Medium severity6.8NVD Advisory· Published Apr 25, 2025· Updated Apr 15, 2026
CVE-2025-46599
CVE-2025-46599
Description
CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/k3s-io/k3sGo | >= 1.32.0-rc1, < 1.32.4-rc1 | 1.32.4-rc1 |
Patches
1097b63e588e3Set kubelet read-only-port via CLI flag
3 files changed · +6 −1
pkg/daemons/agent/agent.go+0 −1 modified@@ -185,7 +185,6 @@ func defaultKubeletConfig(cfg *daemonconfig.Agent) (*kubeletconfig.KubeletConfig NodeStatusReportFrequency: metav1.Duration{Duration: time.Minute * 5}, NodeStatusUpdateFrequency: metav1.Duration{Duration: time.Second * 10}, ProtectKernelDefaults: cfg.ProtectKernelDefaults, - ReadOnlyPort: 0, RuntimeRequestTimeout: metav1.Duration{Duration: time.Minute * 2}, StreamingConnectionIdleTimeout: metav1.Duration{Duration: time.Hour * 4}, SyncFrequency: metav1.Duration{Duration: time.Minute},
pkg/daemons/agent/agent_linux.go+3 −0 modified@@ -77,6 +77,9 @@ func kubeletArgsAndConfig(cfg *config.Agent) (map[string]string, *kubeletconfig. argsMap := map[string]string{ "config-dir": cfg.KubeletConfigDir, "kubeconfig": cfg.KubeConfigKubelet, + // note: KubeletConfiguration will omit this field when marshalling if it is set to 0, so we set it via CLI + // https://github.com/k3s-io/k3s/issues/12164 + "read-only-port": "0", } if cfg.RootDir != "" {
pkg/daemons/agent/agent_windows.go+3 −0 modified@@ -50,6 +50,9 @@ func kubeletArgsAndConfig(cfg *config.Agent) (map[string]string, *kubeletconfig. argsMap := map[string]string{ "config-dir": cfg.KubeletConfigDir, "kubeconfig": cfg.KubeConfigKubelet, + // note: KubeletConfiguration will omit this field when marshalling if it is set to 0, so we set it via CLI + // https://github.com/k3s-io/k3s/issues/12164 + "read-only-port": "0", } if cfg.RootDir != "" { argsMap["root-dir"] = cfg.RootDir
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-864f-7xjm-2jp2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46599ghsaADVISORY
- cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-portnvdWEB
- github.com/f1veT/BUG/issues/2nvdWEB
- github.com/k3s-io/k3s/commit/097b63e588e3c844cdf9b967bcd0a69f4fc0aa0anvdWEB
- github.com/k3s-io/k3s/compare/v1.32.3+k3s1...v1.32.4-rc1+k3s1nvdWEB
- github.com/k3s-io/k3s/issues/12164nvdWEB
- pkg.go.dev/vuln/GO-2025-3646ghsaWEB
News mentions
0No linked articles in our index yet.