CVE-2025-24376: KubeWarden's AdmissionPolicy and AdmissionPolicyGroup policies can be used to alter PolicyReport resources
(updated )
By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy. There might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature. For example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. See this section of Kubewarden’s documentation for more details about PolicyReport resources. An attacker can use either an AdmissionPolicy or an AdmissionPolicyGroup to prevent the creation and update of PolicyReport objects to hide non-compliant resources. Moreover, the same attacker might use a mutating AdmissionPolicy to alter the contents of the PolicyReport created inside of the namespace.
References
- github.com/advisories/GHSA-fc89-jghx-8pvg
- github.com/kubewarden/kubewarden-controller
- github.com/kubewarden/kubewarden-controller/commit/8124039b5f0c955d0ee8c8ca12d4415282f02d2c
- github.com/kubewarden/kubewarden-controller/security/advisories/GHSA-fc89-jghx-8pvg
- nvd.nist.gov/vuln/detail/CVE-2025-24376
- pkg.go.dev/vuln/GO-2025-3434
Detect and mitigate CVE-2025-24376 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →