autoscaler icon indicating copy to clipboard operation
autoscaler copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Vulnerabilities in cluster-autoscaler-1.31.2

Open vish-kar opened this issue 5 months ago • 1 comments

Hi team,

We’re in the process of upgrading to Kubernetes 1.31 and using the cluster-autoscaler:v1.31.2 image from this repo. During our internal security scan, a few known vulnerabilities were flagged in the image’s dependencies.

Here's the list of CVEs that came up:

CVEs detected: CVE-2025-30204 – Affects golang-jwt/jwt v4.5.0 & v5.2.1 (Fixed in 4.5.2 / 5.2.2) A parsing issue in ParseUnverified can lead to security risks if misused.

CVE-2024-45338 – Affects golang.org/x/net/html v0.26.0 (Fixed in 0.33.0) Potential DoS from non-linear parsing of crafted inputs.

CVE-2025-22872 – Affects golang.org/x/net/html v0.26.0 (Fixed in 0.38.0) Incorrect handling of self-closing tags with unquoted attribute values.

CVE-2024-45310 – Affects runc v1.1.13 (Fixed in 1.1.14 / 1.2.0-rc.3) Vulnerability in OCI runtime execution logic.

CVE-2024-35255 – Affects Azure SDK for Go v1.5.2 (Fixed in 1.6.0) Elevation of privilege in Azure Identity library.

CVE-2024-51744 – Affects golang-jwt/jwt v4.5.0 (Fixed in 4.5.1) Error handling confusion in ParseWithClaims.

It’d be great if these dependencies could be updated or the image could be rebuilt with patched versions.

vish-kar avatar Jun 20 '25 06:06 vish-kar

/area cluster-autoscaler

adrianmoisey avatar Jun 20 '25 07:06 adrianmoisey

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Sep 18 '25 07:09 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Oct 18 '25 08:10 k8s-triage-robot

@vish-kar I did a quick audit and cluster-autoscaler's latest 1.31 release (https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.31.5) is in sync with the above libraries in kubernetes @ v1.31

I would advise using a newer version of Kubernetes and the corresponding latest minor version of Cluster Autoscaler.

jackfrancis avatar Oct 20 '25 15:10 jackfrancis