This security advisory concerns vulnerabilities in the Custom Metrics Autoscaler Operator for Red Hat OpenShift, which is an optional operator based on Kubernetes Event Driven Autoscaler (KEDA) version 2.15.1. The operator allows workloads to scale using custom metrics sources. Two CVEs, CVE-2025-29786 and CVE-2025-30204, are associated with this advisory. The advisory references an update to version 2.15.1-6 but does not specify explicit fixes for these vulnerabilities. The operator is distributed as container images for amd64 and arm64 architectures. The advisory recommends applying the update after previously released errata have been applied. No cloud service is involved, and no known exploits have been reported.

The vulnerabilities are rated as high severity, indicating a significant security concern. However, the advisory does not provide detailed impact descriptions or confirm active exploitation. The operator's role in scaling workloads using custom metrics suggests potential risks in workload management or resource allocation if exploited. No known exploits in the wild have been reported, and no direct impact scenarios are detailed in the advisory.

Red Hat recommends applying the Custom Metrics Autoscaler Operator update to version 2.15.1-6 after ensuring all previously released errata relevant to the system have been applied. The advisory does not specify explicit fixes for the CVEs but implies that updating to the latest operator version is the current mitigation step. Users should follow Red Hat's official documentation for upgrading operators in OpenShift. Since no cloud service is involved, remediation is managed by the user applying the update. Patch status is not explicitly confirmed as a fix for the CVEs; therefore, users should monitor Red Hat advisories for further updates.