Kubernetes Vulnerability Advisory: CVE-2020-8561, CVE-2020-8562, CVE-2021-25740

Vulnerability Overview The Kubernetes project is updating three previously unpatched CVE records that were not correctly documented in earlier versions. These vulnerabilities include: 1. CVE-2020-8561: Webhook redirect in kube-apiserver 2. CVE-2020-8562: Proxy bypass via DNS TOCTOU 3. CVE-2021-25740: Cross-namespace forwarding via Endpoints Impact Scope CVE-2020-8561: Affects the HTTP redirect behavior of kube-apiserver, potentially allowing requests within internal private networks to be redirected. CVE-2020-8562: Affects the DNS checking mechanism of the API server proxy, potentially allowing IP restrictions to be bypassed. CVE-2021-25740: Affects the design of Endpoints and EndpointSlice API objects, potentially allowing manual specification of IP addresses pointing to load balancers or Ingress backends. Remediation CVE-2020-8561: Webhook redirect in kube-apiserver Severity: Medium (4.1) Issue: kube-apiserver follows HTTP redirects during communication, which could lead to requests within internal private networks being redirected. Why Not Patched: Restricting this behavior would break standard HTTP client behavior, which many legitimate integrations rely on. Mitigation: Set the API server log level to below 10 (to prevent logging response bodies) and disable dynamic profiling ( ) to prevent unauthorized log level changes. CVE-2020-8562: Proxy bypass via DNS TOCTOU Severity: Low (3.1) Issue: A time-of-check to time-of-use (TOCTOU) race condition in the API server proxy allows users to bypass IP restrictions. Why Not Patched: Fixing this would require pinning resolved IPs, which would break complex split-horizon DNS or dynamic IP environments. Mitigation: Use a local DNS caching server like dnsmasq for the API server and configure to enforce consistent responses between checks and connections. CVE-2021-25740: Cross-namespace forwarding via Endpoints Severity: Low (3.1) Issue: A design flaw in the Endpoints and EndpointSlice API objects allows users to manually specify IP addresses pointing to load balancers or Ingress backends. Why Not Patched: This is a fundamental functionality of the Endpoints API used for networking tools. Mitigation: Restrict write access to Endpoints (legacy) and EndpointSlices. Starting with Kubernetes 1.22, the Kubernetes RBAC authorization model no longer includes these permissions in the default and ClusterRoles. For clusters created with Kubernetes v1.22, administrators should manually audit and reconcile the ClusterRole. Required Actions for Administrators Conclusion: Maturing Through Transparency By correcting these records, the Kubernetes project demonstrates the maturity of its security ecosystem. By moving beyond a "patch-only" mindset and accurately documenting architectural debt, the Kubernetes project provides the community with high-fidelity data to protect modern cloud-native infrastructure. --- Note: On June 1, 2026, these CVE records will be updated to correctly reflect the fact that all versions are affected. You may start seeing them appear in vulnerability scanner results.

Goal Reached Thanks to every supporter — we hit 100%!

Kubernetes Vulnerability Advisory: CVE-2020-8561, CVE-2020-8562, CVE-2021-25740