Security vulnerability CVE-2024-45337 related to metrics-server api
17 views
Skip to first unread message
Ajit Kumar
Jun 11, 2025, 4:51:20 AMJun 11
to kubernetes-sig-...@googlegroups.com
Hello Kubernetes Team,
We are reaching out to you to report some security vulnerabilities in the latest available release 0.7.2 of metrics-server api.
We are utilizing metrics-server, the open-source tool for monitoring resource usage within a cluster, as part of our metrics monitoring stack inside one of our Oracle applications. There are some reported violations that are originating from the metrics-server api which we are currently using. We have already upgraded to the latest available release version 0.7.2 of metrics-server (https://github.com/kubernetes-sigs/metrics-server/releases) which in turn uses the vulnerable golang.org/x/crypto:0.26.0 as an indirect dependency. The reported vulnerabilities are mentioned below:
#1 ANCHORE:CVE-2024-45337+crypto:v0.26.0:non-os package type (golang)
#2 ANCHORE:CVE-2025-22869+crypto:v0.26.0:non-os package type (golang)
Please let us know if you have any plan to address the above vulnerabilities in a future release and if so is there a probable timeline for this.
Appreciate your attention.
We are reaching out to you to report some security vulnerabilities in the latest available release 0.7.2 of metrics-server api.
We are utilizing metrics-server, the open-source tool for monitoring resource usage within a cluster, as part of our metrics monitoring stack inside one of our Oracle applications. There are some reported violations that are originating from the metrics-server api which we are currently using. We have already upgraded to the latest available release version 0.7.2 of metrics-server (https://github.com/kubernetes-sigs/metrics-server/releases) which in turn uses the vulnerable golang.org/x/crypto:0.26.0 as an indirect dependency. The reported vulnerabilities are mentioned below:
#1 ANCHORE:CVE-2024-45337+crypto:v0.26.0:non-os package type (golang)
#2 ANCHORE:CVE-2025-22869+crypto:v0.26.0:non-os package type (golang)
Please let us know if you have any plan to address the above vulnerabilities in a future release and if so is there a probable timeline for this.
Appreciate your attention.
Thanks,
Ajit Kumar
Reply all
Reply to author
Forward
0 new messages