CVE-2025-48710

Name of the Vulnerable Software and Affected Versions kro (Kube Resource Orchestrator) versions 0.1.0 through 0.2.1

Description The issue allows users with permission to create or modify ResourceGraphDefinition resources to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

Recommendations For versions 0.1.0 through 0.2.1, update to version 0.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to create or modify ResourceGraphDefinition resources to minimize the risk of exploitation.