Kro · Kro · CVE-2025-48710
**Name of the Vulnerable Software and Affected Versions**
kro (Kube Resource Orchestrator) versions 0.1.0 through 0.2.1
**Description**
The issue allows users with permission to create or modify ResourceGraphDefinition resources to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.
**Recommendations**
For versions 0.1.0 through 0.2.1, update to version 0.2.1 or later to resolve the issue.
As a temporary workaround, consider restricting access to create or modify ResourceGraphDefinition resources to minimize the risk of exploitation.