CVE-2025-29778: Kyverno ignores subjectRegExp and IssuerRegExp
(updated )
Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact’s sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate.
References
- github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go
- github.com/advisories/GHSA-46mp-8w32-6g94
- github.com/kyverno/kyverno
- github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60
- github.com/kyverno/kyverno/pull/12237
- github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94
- github.com/kyverno/policies/issues/1246
- nvd.nist.gov/vuln/detail/CVE-2025-29778
Code Behaviors & Features
Detect and mitigate CVE-2025-29778 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →