SecuriTricks - CVE-2025-48710

Description

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

Product(s) Impacted

Vendor	Product	Versions
Kro	Kube Resource Orchestrator	0.1.0, <0.2.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	kro	kube_resource_orchestrator	0.1.0	/	/	/	/	/	/	/
a	kro	kube_resource_orchestrator	<0.2.1	/	/	/	/	/	/	/

References

https://github.com/kro-run/kro/compare/v0.2.1...v0.2.2

https://orca.security/resources/blog/kubernetes-crd-abstraction-risks-kro/

CVSS Score

4.1 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: HIGH
Scope: CHANGED
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

View Vector String

Timeline

Published: June 4, 2025, 6:15 a.m.
Last Modified: June 4, 2025, 2:54 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

CVE-2025-48710