CVE 4.7 MEDIUM

KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer_CVE-2025-64432

November 7, 2025 invoker category_cve
4.7 / 10
MEDIUM
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Description

KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.

Basic Information

ID CVE-2025-64432
Source GitHub_M
Published Nov 7, 2025 at 18:38
Modified Nov 7, 2025 at 18:54

Affected Product

Vendor kubevirt
Product kubevirt
Version < 1.5.3
Affected Versions kubevirt kubevirt < 1.5.3
kubevirt kubevirt >= 1.6.0, < 1.6.1

CWE Classification

CWE-287 CWE-295

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.