CVE-2025-47281

CVE-2025-47281 affects Kyverno up to version 1.14.1, where DoS can be triggered by crafted JMESPath expressions using {{@}} with an invalid function, causing a nil substitution and a panic in getValueAsStringMap that crashes Kyverno worker threads and reports controller pod. The issue is fixed in...

CVE-2025-47281 Kyverno's Improper JMESPath Variable Evaluation Leads to Denial of Service

Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service DoS vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft...

Kyverno 安全漏洞

Kyverno is a policy engine for Kubernetes open-sourced by Kyverno. A security vulnerability exists in Kyverno versions 1.14.1 and earlier and versions 2025.6.0-rc1 through 2025.6.3, which stems from improper handling of the JMESPath variable and could lead to a denial of service attack...

GHSA-R5P3-955P-5GGQ Kyverno's Improper JMESPath Variable Evaluation Lead to Denial of Service

Summary A Denial of Service DoS vulnerability exists in Kyverno due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the @ variable combined with a pipe and an invalid JMESPath function e.g., @ |...

Kyverno's Improper JMESPath Variable Evaluation Lead to Denial of Service

Summary A Denial of Service DoS vulnerability exists in Kyverno due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the @ variable combined with a pipe and an invalid JMESPath function e.g., @ |...

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via improper handling of JMESPath variable substitutions in the getValueAsStringMap function within pkg/engine/wildcards/wildcards.go. An attacker can cause the admission controller and reports controller to crash by...

PT-2025-30438 · Kyverno · Kyverno

Name of the Vulnerable Software and Affected Versions: Kyverno versions 1.14.1 and below Description: Kyverno is susceptible to a Denial of Service DoS vulnerability stemming from improper handling of JMESPath variable substitutions. Attackers possessing permissions to create or update Kyverno...

Critical Photon OS Security Update - PHSA-2025-4.0-0804

Updates of 'dotnet-sdk', 'rubygem-jmespath', 'rubygem-kubeclient', 'dotnet-runtime' packages of Photon OS have been released...

SUSE SLED15: python-ply-doc / python2-jmespath / python2-ply / python3-jmespath / etc (SUSE-SU-2023:2571-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:2571-1 advisory. salt: - Update to Salt release version 3006.0 jscPED-4361 See release notes:...

Fedora: Security Advisory for golang-github-jmespath (FEDORA-2022-ea8f4e232d)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 36 Update: golang-github-jmespath-0.4.0-6.fc36

A JMESPath implementation in Go...

Fedora: Security Advisory for golang-github-jmespath (FEDORA-2022-3969b64d4b)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 35 Update: golang-github-jmespath-0.4.0-5.fc35

A JMESPath implementation in Go...

Fedora: Security Advisory for golang-github-jmespath (FEDORA-2022-fae3ecee19)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 36 Update: golang-github-jmespath-0.4.0-5.fc36

A JMESPath implementation in Go...

Fedora: Security Advisory for rubygem-jmespath (FEDORA-2022-779e050244)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Fedora: Security Advisory for rubygem-jmespath (FEDORA-2022-13d49faee0)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 35 Update: rubygem-jmespath-1.6.1-1.fc35

Implements JMESPath for Ruby...

[SECURITY] Fedora 36 Update: rubygem-jmespath-1.6.1-1.fc36

Implements JMESPath for Ruby...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the usage of JSON.load, which is considered unsafe when used with untrusted input. Remediation Upgrade jmespath to version 1.6.1 or higher. References - GitHub Commit - GitHub PR...