CVE-2025-47281

Name of the Vulnerable Software and Affected Versions Kyverno versions 1.14.1 and below

Description Kyverno is susceptible to a Denial of Service (DoS) vulnerability stemming from improper handling of JMESPath variable substitutions. Attackers possessing permissions to create or update Kyverno policies can exploit this by crafting expressions utilizing the {{@}} variable in conjunction with a pipe and an invalid JMESPath function (e.g., {{@ | non existent function }}). This results in a nil value being substituted into the policy structure. Subsequent processing by the getValueAsStringMap function, which expects string values, triggers a panic due to a type assertion failure. This can crash Kyverno worker threads within the admission controller and cause continuous crashes of the reports controller pod, potentially leading to service degradation or unavailability.

Recommendations Kyverno versions prior to 1.14.2 are affected. Update to version 1.14.2 or later to resolve this issue.