Security researchers have disclosed a critical vulnerability in Kubernetes Capsule v0.10.3 and earlier versions that allows authenticated tenant users to inject arbitrary labels into system namespaces, fundamentally breaking multi-tenant isolation.
The vulnerability, tracked as CVE-2025-55205 with a CVSS score of 9.9, enables attackers to bypass security boundaries and access cross-tenant resources, potentially leading to cluster-wide compromise.
Vulnerability Overview
The newly disclosed vulnerability represents a significant security flaw in Capsule’s namespace validation webhook logic.
Located in the pkg/webhook/namespace/validation/patch.go file, the vulnerability stems from inadequate conditional checks that only validate tenant ownership when a namespace already contains a tenant label.
This design flaw creates a dangerous bypass mechanism where system namespaces lacking default tenant labels become vulnerable to unauthorized label injection.
The attack vector mirrors the previously disclosed CVE-2024-39690, but utilizes label injection instead of ownerReference manipulation to achieve similar devastating effects.
Authenticated tenant users can exploit this weakness to inject malicious labels into critical system namespaces including kube-system, default, and capsule-system, effectively hijacking these protected environments.
The vulnerability enables a multi-stage attack where malicious actors first inject arbitrary labels into unprotected system namespaces, then leverage TenantResource selectors to gain unauthorized access to cross-tenant resources.
This exploitation path allows attackers to circumvent quota restrictions, bypass network policies, and potentially access sensitive cluster-wide configurations and secrets.
Security researchers demonstrated the attack using a proof-of-concept that successfully injected labels into the kube-system namespace and subsequently created malicious TenantResource objects to exploit the compromised labeling system.
The attack requires only basic RBAC permissions and can be executed by any authenticated tenant user with patch namespace permissions.
| Attribute | Details |
| CVE ID | CVE-2025-55205 |
| CVSS Score | 9.9 (Critical) |
| Affected Versions | Capsule ≤ 0.10.3 |
| Patched Version | 0.10.4 |
| Attack Vector | Network |
| Privileges Required | Low |
| Attack Complexity | Low |
| Scope | Changed |
This vulnerability poses severe risks to multi-tenant Kubernetes environments, particularly affecting cloud service providers and organizations relying on Capsule for tenant isolation.
The potential for privilege escalation, data exfiltration, and resource quota bypass makes this a high-priority security concern requiring immediate attention.
Organizations running Kubernetes Capsule must immediately upgrade to version 0.10.4 to address this critical vulnerability.
The severity of this flaw, combined with its potential for cluster-wide compromise, underscores the importance of robust validation mechanisms in multi-tenant security architectures.
Security teams should review their current Capsule deployments and implement appropriate monitoring to detect potential exploitation attempts.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
