CVE-2025-24784

Name of the Vulnerable Software and Affected Versions kubewarden-controller versions 1.17.0 through 1.20.x

Description The issue allows an attacker to obtain information about resources that are out of their reach by leveraging a higher access to the cluster granted to the ServiceAccount token used to run the policy. The impact of this issue depends on the privileges that have been granted to the ServiceAccount used to run the Policy Server and assumes that users are using the recommended best practices of keeping the Policy Server's ServiceAccount least privileged. By default, the Kubewarden helm chart grants access to the following resources only: Namespace, Pod, Deployment, and Ingress. Kubewarden policies can be allowed to query the Kubernetes API at evaluation time, and these types of policies are called "context aware". Context aware policies can perform list and get operations against a Kubernetes cluster using the ServiceAccount of the Policy Server instance that hosts the policy.

Recommendations For versions 1.17.0 through 1.20.x, update to version 1.21.0 or later to resolve the issue. As a temporary workaround for versions prior to 1.21.0, consider applying a Kubewarden policy to prevent the creation of AdmissionPolicyGroup resources that have access to Kubernetes resources, such as the policy provided in the OSV description. Restrict access to the AdmissionPolicyGroup resource to minimize the risk of exploitation. Avoid using context aware policies until the issue is resolved.