CVE-2025-46342: Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements

April 29, 2025 (updated May 5, 2025)

Due to a missing error propagation in function GetNamespaceSelectorsFromNamespaceLister in pkg/utils/engine/labels.go it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations.

References

github.com/advisories/GHSA-jrr2-x33p-6hvc
github.com/kyverno/kyverno
github.com/kyverno/kyverno/commit/3ff923b7756e1681daf73849954bd88516589194
github.com/kyverno/kyverno/security/advisories/GHSA-jrr2-x33p-6hvc
nvd.nist.gov/vuln/detail/CVE-2025-46342
pkg.go.dev/vuln/GO-2025-3652

Code Behaviors & Features

Detect and mitigate CVE-2025-46342 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →