Medium severity4.1OSV Advisory· Published Jun 4, 2025· Updated Apr 15, 2026
CVE-2025-48710
CVE-2025-48710
Description
kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/kro-run/kroGo | >= 0.1.0, < 0.2.1 | 0.2.1 |
Affected products
3- Range: v0.1.0, v0.2.0, v0.2.0-rc.1
- ghsa-coords2 versions
>= 0.1.0, < 0.2.1+ 1 more
- (no CPE)range: >= 0.1.0, < 0.2.1
- (no CPE)range: < 0.0.20250612T141001-1.1
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.