x/vulndb: potential Go vuln in github.com/k3s-io/k3s: CVE-2025-46599 #3646
Description
Advisory CVE-2025-46599 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/k3s-io/k3s |
Description:
CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.
References:
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-46599
- FIX: k3s-io/k3s@097b63e
- REPORT: k3s version v1.32.3+k3s1 default configuration kubelet exposes cluster container env risk f1veT/BUG#2
- REPORT: Kubelet read-only-port is not set to 0 on k3s 1.32+ k3s-io/k3s#12164
- WEB: https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port
- WEB: k3s-io/k3s@v1.32.3+k3s1...v1.32.4-rc1+k3s1
Cross references:
- github.com/k3s-io/k3s appears in 1 other report(s):
- data/excluded/GO-2023-2060.yaml (x/vulndb: potential Go vuln in github.com/k3s-io/k3s: GHSA-m4hf-6vgr-75r2 #2060) EFFECTIVELY_PRIVATE
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/k3s-io/k3s
vulnerable_at: 1.0.1
summary: CVE-2025-46599 in github.com/k3s-io/k3s
cves:
- CVE-2025-46599
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-46599
- fix: https://github.com/k3s-io/k3s/commit/097b63e588e3c844cdf9b967bcd0a69f4fc0aa0a
- report: https://github.com/f1veT/BUG/issues/2
- report: https://github.com/k3s-io/k3s/issues/12164
- web: https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port
- web: https://github.com/k3s-io/k3s/compare/v1.32.3+k3s1...v1.32.4-rc1+k3s1
source:
id: CVE-2025-46599
created: 2025-04-25T06:01:24.647312574Z
review_status: UNREVIEWED