DirectorySecurity AdvisoriesPricing
/
Sign in
Security Advisories

CGA-3g56-2jfq-629j

Published

Last updated

https://images.chainguard.dev/security/CGA-3g56-2jfq-629j
Package

kyverno-policy-reporter-plugins-kyverno-fips

Repository

Chainguard

Latest Update
Pending upstream fix
Aliases
  • CVE-2025-66506
  • GHSA-f83f-xpx7-ffpw

Severity

7.5

High

CVSS V3

References

  • https://nvd.nist.gov/vuln/detail/CVE-2025-66506
  • https://github.com/advisories/GHSA-f83f-xpx7-ffpw

Updates

Status

Pending upstream fix

Impact

Updating Fulcio v1.8.3 requires sigstore/sigstore v1.10.0, which removed the cryptoutils.ValidatePubKey function that cosign v2.4.1 depends on. Migrating to cosign v3 would fix that incompatibility, but it's a major version upgrade that requires k8s.io v0.34.x—and upgrading to that version would break compatibility. Updating fulcio would force a cascade of breaking changes across the dependency chain. Upstream need substantial refactoring and API compatibility updates to make this work.

Status

Under investigation

The trusted source for open source

Talk to an expert
© 2025 Chainguard. All Rights Reserved.
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0Golden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogPartnersNewsroomCareersLegal