CVE-2025-29778
CVE Details
Visit the official vulnerability details page for CVE-2025-29778 to learn more.
Initial Publication
06/05/2025
Last Update
10/15/2025
Third Party Dependency
github.com/kyverno/kyverno
NIST CVE Summary
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.
CVE Severity
Our Official Summary
This vulnerability affects Kyverno’s keyless signature verification flow using Cosign (Fulcio/OIDC). In vulnerable versions, Kyverno fails to enforce the subjectRegExp and issuerRegExp checks when validating artifact signatures, allowing artifacts signed with unapproved certificates to be accepted. This could enable the deployment of unauthorized Kubernetes resources and, depending on their nature, potentially lead to full cluster compromise.
Within the Palette environment, Kyverno is installed on workload clusters only when workspaces are configured to blacklist container images and is used exclusively for image admission. Since this vulnerability applies only to Kyverno deployments using Cosign in keyless mode functionality not utilized in Palette-managed clusters, there is no impact on clusters provisioned by Palette.
As a precautionary measure, Kyverno and its related libraries will be upgraded to the latest available version that includes the fix for this vulnerability.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.23 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.6.41 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 10/15/2025 | Official summary revised: This vulnerability affects Kyverno’s keyless signature verification flow using Cosign (Fulcio/OIDC). In vulnerable versions, Kyverno fails to enforce the subjectRegExp and issuerRegExp checks when validating artifact signatures, allowing artifacts signed with unapproved certificates to be accepted. This could enable the deployment of unauthorized Kubernetes resources and, depending on their nature, potentially lead to full cluster compromise.Within the Palette environment, Kyverno is installed on workload clusters only when workspaces are configured to blacklist container images and is used exclusively for image admission. Since this vulnerability applies only to Kyverno deployments using Cosign in keyless mode functionality not utilized in Palette-managed clusters, there is no impact on clusters provisioned by Palette.As a precautionary measure, Kyverno and its related libraries will be upgraded to the latest available version that includes the fix for this vulnerability. |
| 10/15/2025 | Status changed from Open to Ongoing |
| 10/15/2025 | Official summary added |