Medium severity6.8OSV Advisory· Published Apr 25, 2025· Updated Apr 15, 2026
CVE-2025-46599
CVE-2025-46599
Description
CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/k3s-io/k3sGo | >= 1.32.0-rc1, < 1.32.4-rc1 | 1.32.4-rc1 |
Affected products
35- osv-coords34 versionspkg:apk/chainguard/k3spkg:apk/chainguard/k3s-1.32pkg:apk/chainguard/k3s-embeddedpkg:apk/chainguard/k3s-imagespkg:apk/chainguard/k3s-multicallpkg:apk/chainguard/k3s-multicall-1.32pkg:apk/chainguard/k3s-multicall-1.33pkg:apk/chainguard/k3s-multicall-1.34pkg:apk/chainguard/k3s-multicall-1.35pkg:apk/chainguard/k3s-staticpkg:apk/chainguard/k3s-static-1.32pkg:apk/chainguard/k3s-static-1.33pkg:apk/chainguard/k3s-static-1.34pkg:apk/chainguard/k3s-static-1.35pkg:apk/chainguard/rke2-runtime-1.33pkg:apk/chainguard/rke2-runtime-1.34pkg:apk/chainguard/rke2-runtime-1.35pkg:apk/chainguard/rke2-runtime-1.36pkg:apk/wolfi/k3spkg:apk/wolfi/k3s-1.32pkg:apk/wolfi/k3s-embeddedpkg:apk/wolfi/k3s-imagespkg:apk/wolfi/k3s-multicallpkg:apk/wolfi/k3s-multicall-1.32pkg:apk/wolfi/k3s-multicall-1.33pkg:apk/wolfi/k3s-multicall-1.34pkg:apk/wolfi/k3s-multicall-1.35pkg:apk/wolfi/k3s-staticpkg:apk/wolfi/k3s-static-1.32pkg:apk/wolfi/k3s-static-1.33pkg:apk/wolfi/k3s-static-1.34pkg:apk/wolfi/k3s-static-1.35pkg:golang/github.com/k3s-io/k3spkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 1.32.4.1-r0+ 33 more
- (no CPE)range: < 1.32.4.1-r0
- (no CPE)range: < 1.32.6.1-r0
- (no CPE)range: < 1.32.4.1-r0
- (no CPE)range: < 1.32.4.1-r0
- (no CPE)range: < 1.32.4.1-r0
- (no CPE)range: < 1.32.6.1-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.32.4.1-r0
- (no CPE)range: < 1.32.6.1-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.32.4.1-r0
- (no CPE)range: < 1.32.6.1-r0
- (no CPE)range: < 1.32.4.1-r0
- (no CPE)range: < 1.32.4.1-r0
- (no CPE)range: < 1.32.4.1-r0
- (no CPE)range: < 1.32.6.1-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.32.4.1-r0
- (no CPE)range: < 1.32.6.1-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 1.32.0-rc1, < 1.32.4-rc1
- (no CPE)range: < 0.0.20250506T153719-1.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-864f-7xjm-2jp2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46599ghsaADVISORY
- cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-portnvdWEB
- github.com/f1veT/BUG/issues/2nvdWEB
- github.com/k3s-io/k3s/commit/097b63e588e3c844cdf9b967bcd0a69f4fc0aa0anvdWEB
- github.com/k3s-io/k3s/compare/v1.32.3+k3s1...v1.32.4-rc1+k3s1nvdWEB
- github.com/k3s-io/k3s/issues/12164nvdWEB
- pkg.go.dev/vuln/GO-2025-3646ghsaWEB
News mentions
0No linked articles in our index yet.