[Security Advisory] CVE-2025-9708: Kubernetes C# Client: improper certificate validation in custom CA mode may lead to man-in-the-middle attacks

121 views
Skip to first unread message

Rita Zhang

unread,
Sep 16, 2025, 12:01:24 PM (16 hours ago) Sep 16
to kubernetes-announce, dev, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, distributo...@kubernetes.io

Hello Kubernetes Community,


A vulnerability exists in the Kubernetes C# client where the certificate validation logic accepts properly constructed certificates from any Certificate Authority (CA) without properly verifying the trust chain. This flaw allows a malicious actor to present a forged certificate and potentially intercept or manipulate communication with the Kubernetes API server, leading to possible man-in-the-middle attacks and API impersonation.


This issue has been rated Med (6.8) CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, and assigned CVE-2025-9708.


Am I vulnerable?


You are vulnerable if:

- You use the Kubernetes C# client to connect to a Kubernetes API server over TLS/HTTPS  with custom CA certificates in your kubeconfig file and your connection occurs over an untrusted network.


Affected Versions

  • All versions of the Kubernetes C# client prior to the next release <=17.0.13

How do I mitigate this vulnerability?


This issue can be mitigated by:


  • Deploy the patch version of the Kubernetes C# client as soon as possible.

  • Moving the CA certificates into the system trust store instead of specifying them in the kubeconfig file. Note: This approach may introduce new risks, as all processes on the system will begin to trust certificates signed by that CA. If you must use an affected version, you can disable custom CA and add the CA to the machine's trusted root.

Fixed Versions

  • Kubernetes C# client >= v17.0.14

Detection

To determine if your applications are affected:

  • Review your usage of the Kubernetes C# client and inspect certificate validation logic.

  • Review your kubeconfig files and determine if you use a custom CA certificate (the certificate-authority field in the clusters section).

  • Review client logs for unexpected or untrusted certificate connections.


If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io


Thank You,


Rita Zhang on behalf of the Kubernetes Security Response Committee

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/134063 


Acknowledgements


This vulnerability was reported by @elliott-beach


The issue was fixed and coordinated by: 


Boshi Lian @tg123

Brendan Burns @brendandburns

Rita Zhang @ritazh


Thank You,

Rita Zhang on behalf of the Kubernetes Security Response Committee


Reply all
Reply to author
Forward
0 new messages