CVE-2025-29778

Name of the Vulnerable Software and Affected Versions Kyverno versions prior to 1.14.0-alpha.1

Description Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores the subjectRegExp and issuerRegExp fields when verifying artifact signatures in keyless mode. This allows an attacker to deploy Kubernetes resources with artifacts signed by an unexpected certificate. Deploying these unauthorized Kubernetes resources can lead to a full compromise of the Kubernetes cluster. The vulnerability occurs because Kyverno only checks the subject and issuer fields when verifying signatures, while the subjectRegExp and issuerRegExp fields, intended for more flexible matching, are not considered.

Recommendations Upgrade to Kyverno version 1.14.0-alpha.1 or later to resolve this issue.