CVE-2025-46599

MEDIUM

CNCF K3s <1.32.4-rc1+k3s1 - Info Disclosure

Title source: llm

Description

CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.

References (5)

[Various Sources] https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port

[Various Sources] https://github.com/k3s-io/k3s/compare/v1.32.3+k3s1...v1.32.4-rc1+k3s1

[Patch] https://github.com/k3s-io/k3s/commit/097b63e588e3c844cdf9b967bcd0a69f4fc0aa0a

View Patch ZIP pw:eip

[Issue Tracking] https://github.com/f1veT/BUG/issues/2

[Issue Tracking] https://github.com/k3s-io/k3s/issues/12164

Scores

CVSS v3 6.8

EPSS 0.0035

EPSS Percentile 57.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1188

Status published

Products (2)

K3s/K3s 1.32 - 1.32.4-rc1+k3s

k3s-io/k3s 1.32.0-rc1 - 1.32.4-rc1Go

Published Apr 25, 2025

Tracked Since Feb 18, 2026