A critical privilege escalation vulnerability in Fission allows users to bypass security checks and gain elevated permissions within the Kubernetes environment.

The vulnerability exists because the Environment CRD merge logic propagates sensitive fields—such as hostNetwork, hostPID, hostIPC, and privileged—without proper filtering or security validation. This allows an authenticated user to inject malicious configurations into runtime and builder pods.

A CVSS score of 9.9 underscores the high risk of full cluster compromise. An attacker could exploit this to escape the container boundary, access sensitive host information, or gain administrative control over the Kubernetes environment, leading to massive data breaches and service disruption.

Immediate Action: Upgrade the Fission framework to version 1.24.0 or later to implement proper filtering and security validation for podspecs.

Proactive Monitoring: Audit existing Fission Environment CRDs for suspicious podspec configurations and monitor Kubernetes audit logs for attempts to deploy privileged or host-networked pods.

Compensating Controls: Use Kubernetes Admission Controllers (e.g., OPA Gatekeeper or Kyverno) to enforce policies that forbid the use of hostNetwork, hostPID, or privileged containers.

Public Exploit Available: False

The ability to escalate privileges within a Kubernetes cluster makes this a critical security concern. Administrators must prioritize the update to version 1.24.0 and implement admission control policies to prevent the deployment of insecure pod specifications.