[Security Advisory] CVE-2025-29922: Unauthorized creation and deletion of objects in arbitrary workspaces through APIExport Virtual Workspace
8 views
Skip to first unread message
Marvin Beckers
Mar 20, 2025, 10:02:28 AMMar 20
to kcp...@googlegroups.com, kcp-...@googlegroups.com
Hello kcp community,
A security vulnerability has been discovered in kcp that allows creating or deleting an object via the APIExport Virtual Workspace in any arbitrary target workspace for pre-existing resources. By design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding.
The vulnerability has been assigned CVE-2025-29922, and is rated Critical (9.6) (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
A security vulnerability has been discovered in kcp that allows creating or deleting an object via the APIExport Virtual Workspace in any arbitrary target workspace for pre-existing resources. By design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding.
The vulnerability has been assigned CVE-2025-29922, and is rated Critical (9.6) (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
Am I vulnerable?
All kcp instances that allow untrusted users to create and use APIExports are affected by this vulnerability.
Affected versions
All versions prior to 0.26.3 and 0.27.0 are affected by this vulnerability.
How to mitigate this issue?
A fix for this issue has been identified and has been published with kcp 0.26.3 and 0.27.0. The only option to fully mitigate this issue is to upgrade to one of these versions, and we strongly recommend doing that as soon as possible.
Workarounds
For users unable to upgrade to one of the patched versions, the following guidance can be given:
- Minimise the set of people with apiexport/content sub-resource access to APIExport resources. Be aware that this has to apply to all workspaces to be effective.
- Filter incoming requests in a reverse proxy with a similar logic as the authorizer added in the referenced pull request.
References
For additional details, please see the security advisory on GitHub[1].
Acknowledgements
We would like to thank Marko Mudrinić (@xmudrii) from Kubermatic for discovering, reporting and contributing to fixing this issue.
All kcp instances that allow untrusted users to create and use APIExports are affected by this vulnerability.
Affected versions
All versions prior to 0.26.3 and 0.27.0 are affected by this vulnerability.
How to mitigate this issue?
A fix for this issue has been identified and has been published with kcp 0.26.3 and 0.27.0. The only option to fully mitigate this issue is to upgrade to one of these versions, and we strongly recommend doing that as soon as possible.
Workarounds
For users unable to upgrade to one of the patched versions, the following guidance can be given:
- Minimise the set of people with apiexport/content sub-resource access to APIExport resources. Be aware that this has to apply to all workspaces to be effective.
- Filter incoming requests in a reverse proxy with a similar logic as the authorizer added in the referenced pull request.
References
For additional details, please see the security advisory on GitHub[1].
Acknowledgements
We would like to thank Marko Mudrinić (@xmudrii) from Kubermatic for discovering, reporting and contributing to fixing this issue.
Kind regards,
Marvin Beckers
Marvin Beckers
On behalf of the kcp maintainers
[1]: https://github.com/kcp-dev/kcp/security/advisories/GHSA-w2rr-38wv-8rrp
Reply all
Reply to author
Forward
0 new messages