A critical routing vulnerability in Fission prior to version 1.23.0 allows unauthenticated attackers to invoke serverless functions, bypassing security controls.

The Fission router incorrectly registers internal-style routes for all Function objects, regardless of whether an HTTPTrigger is defined. This allows an unauthenticated attacker who can reach the router to invoke any function by guessing its name and namespace, circumventing host, path, and method restrictions.

With a CVSS score of 9.8, this vulnerability poses a severe risk to the confidentiality, integrity, and availability of the serverless environment. Successful exploitation could lead to unauthorized execution of internal functions, potentially exposing sensitive data or allowing an attacker to manipulate serverless workloads. This aligns with MITRE ATT&CK technique T1068 (Exploitation for Privilege Escalation).

Immediate Action: Upgrade Fission to version 1.23.0 or later to ensure proper route authorization is enforced.

Proactive Monitoring: Monitor router access logs for high volumes of 404 errors or unexpected requests targeting the /fission-function/ path, which may indicate enumeration attempts.

Compensating Controls: Implement network-level access control lists (ACLs) to restrict access to the Fission router (port 8888) to known, authorized internal services only.

Public Exploit Available: False

This vulnerability represents a significant security failure in the Fission routing architecture. Administrators must prioritize updating to version 1.23.0 immediately to prevent unauthorized function invocation and potential privilege escalation within the Kubernetes cluster.