CVE-2025-46599: Kubelet Readonly Port Omitempty Bypass
Setting `ReadOnlyPort` to 0 in Kubelet configuration structs causes the field to be stripped during JSON serialization due to the upstream `omitempty` tag. As a result, kubelet ignores the 0 value and binds to the default unauthenticated port (10255), exposing sensitive cluster information. Set the read-only port dynamically via CLI flags (e.g., `--read-only
greprules fetch cve-2025-46599-kubelet-readonly-port-omitempty-bypass --engine opengrepDescription
Setting `ReadOnlyPort` to 0 in Kubelet configuration structs causes the field to be stripped during JSON serialization due to the upstream `omitempty` tag. As a result, kubelet ignores the 0 value and binds to the default unauthenticated port (10255), exposing sensitive cluster information. Set the read-only port dynamically via CLI flags (e.g., `--read-only
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.