CVE-2025-48710

low-risk

Published 2025-06-04

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

Do I need to act?

0.75% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.1/10 Medium

NETWORK / LOW complexity

References (2)

https://github.com/kro-run/kro/compare/v0.2.1...v0.2.2

https://orca.security/resources/blog/kubernetes-crd-abstraction-risks-kro/

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 3/34 · Minimal

Exposure 5/34 · Minimal