Home

Description

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

PUBLISHED Reserved 2025-05-23 | Published 2025-06-04 | Updated 2025-06-04 | Assigner mitre




MEDIUM: 4.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

Problem types

CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')

Product status

Default status
unaffected

0.1.0 (semver) before 0.2.1
affected

References

github.com/kro-run/kro/compare/v0.2.1...v0.2.2

orca.security/.../blog/kubernetes-crd-abstraction-risks-kro/

cve.org (CVE-2025-48710)

nvd.nist.gov (CVE-2025-48710)

Download JSON