CVE-2025-29778 - Kyverno Policy Engine Vulnerability: Ignoring Subject and Issuer RegExp in Keyless Mode Results in Unauthorized Kubernetes Deployments

Kyverno is a popular policy engine designed specifically for Kubernetes, which helps cloud-native platform engineering teams to manage Kubernetes policies. The primary goal of Kyverno is to simplify policy management across multiple clusters and to enforce best practices for cluster security. However, a critical vulnerability (CVE-2025-29778) has been identified in the previous versions of Kyverno that allows an attacker to exploit the system by deploying Kubernetes resources with artifacts signed by unauthorized certificates. This post will discuss the details of the vulnerability, including its causes, impact, and the availability of a patch in the latest version to fix the issue.

Vulnerability Details (CVE-2025-29778)

Kyverno, prior to version 1.14.-alpha.1, had an oversight in its implementation, where it ignored subjectRegExp and issuerRegExp while verifying artifact signatures in the keyless mode. As a result, an attacker could potentially deploy Kubernetes resources using artifacts signed by unexpected or malicious certificates. Deploying these unauthorized Kubernetes resources could lead to full compromise of a Kubernetes cluster security and data breaches.

To illustrate the issue more concretely, let's take a look at a code snippet that demonstrates how Kyverno could be exploited:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-signatures
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: signed-images
    match:
      resources:
        kinds:
        - Deployment
    verifyImages:
    - image: "*"
      subjectRegExp: "CN=(.+)\\.example\\.org"
      issuerRegExp: "CN=my-ca\\.com"

In this example, the intention is to ensure that all deployments must use signed images. However, due to the aforementioned oversight, Kyverno would not check the subjectRegExp and issuerRegExp correctly, allowing an attacker to deploy resources with images signed by unauthorized certificates.

Here are some of the original references that address this vulnerability

- Kyverno GitHub Repository - Issue #986
- Kyverno Release v1.14.-alpha.1 - Release Notes
- CVE-2025-29778 - National Vulnerability Database

Patch and Mitigation

In order to address this vulnerability and prevent unauthorized Kubernetes deployments, the Kyverno team has released a patch as part of version 1.14.-alpha.1. It is highly recommended for users running older versions of Kyverno to update to the patched version immediately, in order to secure their Kubernetes clusters effectively.

You can download the latest Kyverno release (v1.14.-alpha.1) containing the patch from the following link:

- Kyverno v1.14.-alpha.1 - GitHub Releases Page

Conclusion

This post highlighted the critical vulnerability, CVE-2025-29778, present in Kyverno prior to version 1.14.-alpha.1, which allowed attackers to deploy Kubernetes resources with artifacts signed by unexpected certificates, potentially leading to full cluster compromise. The availability of a patch in Kyverno v1.14.-alpha.1 ensures that the vulnerability is well-addressed, and users are urged to upgrade their Kyverno installations to secure their Kubernetes clusters effectively.

Timeline

Published on: 03/24/2025 17:15:20 UTC
Last modified on: 03/27/2025 16:45:46 UTC