CVE-2021-25735

MEDIUM

Kube-apiserver - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-25735. PoCs published by darryk10, securitystuffbackup.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2021-25735, demonstrating a Kubernetes Validating Admission Webhook bypass. It includes a Node.js server that validates node label changes, along with deployment and registration YAML files to set up the vulnerable environment.

Description

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

Exploits (2)

nomisec WORKING POC 17 stars
by darryk10 · poc
https://github.com/darryk10/CVE-2021-25735

This repository contains a functional exploit PoC for CVE-2021-25735, demonstrating a Kubernetes Validating Admission Webhook bypass. It includes a Node.js server that validates node label changes, along with deployment and registration YAML files to set up the vulnerable environment.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes Validating Admission Webhook
Auth required
Prerequisites: Kubernetes cluster access · Ability to deploy webhooks · Node.js environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by securitystuffbackup · poc
https://gitlab.com/securitystuffbackup/cve-2021-25735

This repository provides a functional exploit for CVE-2021-25735, demonstrating a Kubernetes Validating Admission Webhook bypass. It includes a Node.js server that validates node label changes, along with deployment and registration YAML files to set up the vulnerable environment.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes Validating Admission Webhook
Auth required
Prerequisites: Kubernetes cluster access · ability to deploy webhooks · TLS certificates generation
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2
Core References
Mailing List, Third Party Advisory x_refsource_misc
https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y
Patch, Third Party Advisory x_refsource_misc
https://github.com/kubernetes/kubernetes/issues/100096

Scores

CVSS v3 6.5
EPSS 0.1630
EPSS Percentile 95.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Details

CWE
CWE-372
Status published
Products (2)
k8s.io/kubernetes 1.20.0 - 1.20.6Go
kubernetes/kubernetes < 1.18.18
Published Sep 06, 2021
Tracked Since Feb 18, 2026