CVE-2025-13888

9.1 CRITICAL
Published: December 15, 2025 Modified: December 24, 2025
View on NVD

Description

A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://access.redhat.com/errata/RHSA-2025:23203
Source: secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:23206
Source: secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:23207
Source: secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2025-13888
Source: secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2418361
Source: secalert@redhat.com
https://github.com/redhat-developer/gitops-operator/commit/bc6ac3e03d7c8b3db5d8f1770c868396a4c2dcef
Source: secalert@redhat.com
https://github.com/redhat-developer/gitops-operator/pull/897
Source: secalert@redhat.com
https://github.com/redhat-developer/gitops-operator/releases/tag/v1.16.2
Source: secalert@redhat.com

8 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.1 / 10.0
EPSS (Exploit Probability)
0.1%
22th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-266

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3