csharp icon indicating copy to clipboard operation
csharp copied to clipboard
verified publisher icon kubernetes-client

Guide to CVE-2025-9708

Open tg123 opened this issue 4 months ago • 4 comments

CVE-2025-9708

Solution 1: Update to KubernetesClient 17.0.13+ if dotnet8+

Most recommended

Common Issues when updating from version < 7.x

https://github.com/kubernetes-client/csharp/issues/772 https://github.com/kubernetes-client/csharp/issues/824

Solution 2: Cant update or using KubernetesClient.Classic (net48 or netstandard2.0)

  1. Disable Custom CA

     config.SslCaCerts = null;

  2. Trust CA from kubeconfig

Example

        static void Main(string[] args)
        {
            var config = KubernetesClientConfiguration.BuildDefaultConfig();
            config.SslCaCerts = null; // ADD THIS LINE

            IKubernetes client = new Kubernetes(config);
            Console.WriteLine("Starting Request!");

            var list = client.CoreV1.ListNamespacedPod("default");
            foreach (var item in list.Items)
            {
                Console.WriteLine(item.Metadata.Name);
            }
        }


Install-Module -Name powershell-yaml -Scope CurrentUser

.\importca.ps1 # see attached ps1

importca.ps1.zip

tg123 avatar Sep 19 '25 19:09 tg123

I'm looking at the Version Compatibility and wondering if prior major versions for supported Kubernetes releases (prior to K8s 1.33) would be patched as well. Upgrading to v17.0.14 could mean using an "incompatible" version of the client with the Kubernetes API if you're using K8s < 1.33.

crtreasu-msft avatar Sep 22 '25 18:09 crtreasu-msft

for most stable api likes pods they are ok and have not changed for long

may i know what server version are you using

tg123 avatar Sep 23 '25 01:09 tg123

Which versions of KubernetesClient.Classic are safe? Currently, none of them are marked as vulnerable on NuGet.

yzhoholiev avatar Sep 27 '25 20:09 yzhoholiev

in talk with github better to use ditnet core version

classic 17.0.14 will throw if you set customized ca, but at least no vulnerability

tg123 avatar Sep 27 '25 22:09 tg123

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Dec 26 '25 23:12 k8s-triage-robot

/remove-lifecycle stale

tg123 avatar Dec 27 '25 14:12 tg123