PT-2026-25993 · Go · Github.Com/Tektoncd/Pipeline
Published
2026-03-17
·
Updated
2026-03-17
·
CVE-2026-33022
CVSS v3.1
6.5
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Summary
A user with permission to create or update a TaskRun or PipelineRun can crash the Tekton Pipelines controller by setting
.spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31 characters or more, causing a denial of service for all reconciliation.Details
The controller panics in
GenerateDeterministicNameFromSpec when building a deterministic ResolutionRequest name. The generated name has the format {resolver}-{hash} and, when the resolver name is long enough, the result exceeds the DNS-1123 label limit of 63 characters.The truncation logic attempts to find a word boundary using
strings.LastIndex(name, " "). Since the generated name never contains spaces (it is composed of the resolver name, a dash, and a hex-encoded hash), LastIndex returns -1, which is then used as a slice bound:return name[:strings.LastIndex(name[:maxLength], " ")], nil
// strings.LastIndex returns -1 → panic: slice bounds out of range [:-1]The panic crashes the controller. Because the offending TaskRun or PipelineRun is re-reconciled on restart, the controller enters a
CrashLoopBackOff, blocking all TaskRun and PipelineRun reconciliation cluster-wide until the offending resource is manually deleted.Built-in resolvers use short names (
git, cluster, bundles, hub) and are not affected under normal usage. The vulnerability is exploitable by any user who can create TaskRuns or PipelineRuns with a custom resolver name.Impact
Denial of service — A single malicious TaskRun or PipelineRun with a long resolver name is sufficient to crash the Tekton Pipelines controller into a restart loop, blocking all CI/CD reconciliation cluster-wide until the resource is removed.
Patches
(to be filled in: e.g. "Fixed in versions 1.10.1, 1.9.1, ...")
The fix computes the hash first, then truncates only the prefix (resolver name) to fit within the DNS-1123 label limit, preserving the full hash to maintain determinism and uniqueness of
ResolutionRequest names.Workarounds
Restrict who can create TaskRun and PipelineRun resources via Kubernetes RBAC. There is no validation-side workaround without patching.
Affected Versions
All releases from v0.60.0 through v1.10.0.
The vulnerable truncation logic was introduced in commit
ea1fa7ad1fdc ("Remote Resolution Refactor"), first released in v0.60.0 (2024-05-22).Currently supported affected releases:
- v1.10.x (latest)
- v1.9.x (LTS, EOL 2027-01-30)
- v1.6.x (LTS, EOL 2026-10-31)
- v1.3.x (LTS, EOL 2026-08-04)
- v1.0.x (LTS, EOL 2026-04-29)
Releases prior to v0.60.0 are not affected — the truncation code did not exist.
Acknowledgments
This vulnerability was reported by Oleh Konko (@1seal), who provided a thorough vulnerability analysis, proof-of-concept, and review of the fix. Thank you!
References
- Fix: (link to merged PR/commit)
- Introduced in:
ea1fa7ad1fdc("Remote Resolution Refactor")
Fix
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Tektoncd/Pipeline