CVE-2025-48710 – github.com/kro-run/kro

Package

Manager: go
Name: github.com/kro-run/kro
Vulnerable Version: >=0.1.0 <0.2.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

EPSS: 0.00113 pctl0.30506

Details

kro Confused Deputy vulnerability kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

Metadata

Created: 2025-06-04T06:30:26Z
Modified: 2025-06-05T05:10:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-7633-x85h-5mqh/GHSA-7633-x85h-5mqh.json
CWE IDs: ["CWE-441"]
Alternative ID: GHSA-7633-x85h-5mqh
Finding: F332
Auto approve: 1