Platform
go
Component
github.com/openshift/openshift-apiserver
CVE-2025-14443 describes a Server-Side Request Forgery (SSRF) vulnerability within the OpenShift Apiserver component. This flaw allows an attacker to potentially initiate connections to unintended internal or external resources by manipulating image references. The vulnerability impacts versions of OpenShift Apiserver prior to the release containing the fix. Promptly upgrading to the patched version is crucial to address this security concern.
The SSRF vulnerability in OpenShift Apiserver arises from insufficient validation of IP addresses and network ranges within user-supplied image references. An attacker could craft malicious image references that, when processed by the Apiserver, trigger requests to internal services or external websites. This could expose sensitive internal data, allow unauthorized access to internal resources, or even be leveraged for reconnaissance purposes. Successful exploitation could lead to a significant compromise of the OpenShift cluster and its underlying infrastructure. The potential blast radius extends to any services accessible from within the cluster that are not properly secured.
CVE-2025-14443 was published on 2026-03-10. The vulnerability's severity is rated HIGH (CVSS 8.5). Currently, there are no publicly available proof-of-concept exploits. Its inclusion in the OpenShift Apiserver suggests a potential for widespread impact, given the component's critical role in OpenShift deployments. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14443 is to upgrade to a version of OpenShift Apiserver that includes the fix. Consult the official OpenShift documentation for the specific upgrade procedure. If immediate upgrading is not feasible, consider implementing network segmentation to restrict the Apiserver's access to sensitive internal resources. Additionally, review and strengthen firewall rules to limit outbound connections from the Apiserver. While a direct WAF rule might be challenging, carefully inspecting image reference requests for suspicious patterns could offer some protection.
Update to a version of Red Hat OpenShift Container Platform 4 that includes the fix for this vulnerability. See Red Hat release notes for specific instructions on how to update your platform.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14443 is a HIGH severity SSRF vulnerability in OpenShift Apiserver, allowing attackers to initiate connections to unintended resources via manipulated image references.
If you are running OpenShift Apiserver versions prior to the patched release, you are potentially affected by this SSRF vulnerability.
The recommended fix is to upgrade to a version of OpenShift Apiserver that includes the security patch. Consult the official OpenShift documentation for upgrade instructions.
As of the current date, there are no publicly known active exploitation campaigns targeting CVE-2025-14443, but it's crucial to remain vigilant.
Refer to the official OpenShift security advisories and release notes for details regarding CVE-2025-14443 and the corresponding fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.