CVE-2025-55205: Capsule tenant owners with "patch namespace" permission can hijack system namespaces label

August 18, 2025

A namespace label injection vulnerability in Capsule v0.10.3 allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system, default, capsule-system), bypassing multi-tenant isolation and potentially accessing cross-tenant resources through TenantResource selectors. This vulnerability enables privilege escalation and violates the fundamental security boundaries that Capsule is designed to enforce.

References

github.com/advisories/GHSA-fcpm-6mxq-m5vv
github.com/projectcapsule/capsule
github.com/projectcapsule/capsule/commit/e1f47feade6e1695b2204407607d07c3b3994f6e
github.com/projectcapsule/capsule/security/advisories/GHSA-fcpm-6mxq-m5vv
nvd.nist.gov/vuln/detail/CVE-2025-55205

Code Behaviors & Features

Detect and mitigate CVE-2025-55205 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →