Kyverno's Improper JMESPath Variable Evaluation Leads to Denial of Service
Description
Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ | non_existent_function }}). This leads to a nil value being substituted into the policy structure. Subsequent processing by internal functions, specifically getValueAsStringMap, which expect string values, results in a panic due to a type assertion failure (interface {} is nil, not string). This crashes Kyverno worker threads in the admission controller and causes continuous crashes of the reports controller pod. This is fixed in version 1.14.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/kyverno/kyvernoGo | < 1.14.2 | 1.14.2 |
Affected products
11- osv-coords10 versionspkg:apk/chainguard/kyverno-notation-awspkg:apk/chainguard/kyverno-notation-aws-compatpkg:apk/chainguard/kyverno-notation-aws-fipspkg:apk/chainguard/reports-serverpkg:apk/chainguard/reports-server-compatpkg:apk/wolfi/kyverno-notation-awspkg:apk/wolfi/kyverno-notation-aws-compatpkg:bitnami/kyvernopkg:golang/github.com/kyverno/kyvernopkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 1.1-r20+ 9 more
- (no CPE)range: < 1.1-r20
- (no CPE)range: < 1.1-r20
- (no CPE)range: < 1.1-r20
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.1-r20
- (no CPE)range: < 1.1-r20
- (no CPE)range: < 1.14.2
- (no CPE)range: < 1.14.2
- (no CPE)range: < 0.0.20250730T213748-1.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-r5p3-955p-5ggqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47281ghsaADVISORY
- github.com/kyverno/kyverno/commit/cbd7d4ca24de1c55396fc3295e9fc3215832be7cghsax_refsource_MISCWEB
- github.com/kyverno/kyverno/security/advisories/GHSA-r5p3-955p-5ggqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.