Red Hat Security Advisory: Gatekeeper v3.15.4
Gatekeeper v3. 15. 4 addresses two security vulnerabilities in dependencies used by the Gatekeeper validating webhook for Kubernetes policy enforcement. The first vulnerability (CVE-2025-22868) involves unexpected memory consumption during token parsing in the golang. org/x/oauth2 library. The second (CVE-2025-22869) is a denial of service vulnerability in the key exchange mechanism of golang. org/x/crypto/ssh. These issues could impact Gatekeeper deployments that use these libraries. Gatekeeper v3. 15.
AI Analysis
Technical Summary
Gatekeeper is a validating webhook with auditing capabilities that enforces custom resource definition-based policies using the Open Policy Agent (OPA). In version 3.15.4, Red Hat fixed two security issues: CVE-2025-22868, an unexpected memory consumption during token parsing in the golang.org/x/oauth2 library, and CVE-2025-22869, a denial of service vulnerability in the key exchange of golang.org/x/crypto/ssh. These vulnerabilities affect Gatekeeper components that rely on these libraries. The advisory notes that starting with v3.15, certain namespaces are exempt from admission control by default. The fixes are included in Gatekeeper v3.15.4, which is supported through Red Hat Advanced Cluster Management for Kubernetes subscriptions.
Potential Impact
The vulnerabilities could cause unexpected memory consumption and denial of service conditions in Gatekeeper deployments using the affected golang libraries. This may lead to degraded service availability or resource exhaustion in Kubernetes environments where Gatekeeper is deployed. No known exploits in the wild have been reported. The impact is rated as high severity by Red Hat.
Mitigation Recommendations
Red Hat has released Gatekeeper version 3.15.4 which includes fixes for CVE-2025-22868 and CVE-2025-22869. Users should upgrade to Gatekeeper v3.15.4 to remediate these vulnerabilities. Gatekeeper is supported through a Red Hat Advanced Cluster Management for Kubernetes subscription, and users should follow the official upgrade and installation documentation. No additional mitigation steps are indicated by the vendor advisory.
Red Hat Security Advisory: Gatekeeper v3.15.4
Description
Gatekeeper v3. 15. 4 addresses two security vulnerabilities in dependencies used by the Gatekeeper validating webhook for Kubernetes policy enforcement. The first vulnerability (CVE-2025-22868) involves unexpected memory consumption during token parsing in the golang. org/x/oauth2 library. The second (CVE-2025-22869) is a denial of service vulnerability in the key exchange mechanism of golang. org/x/crypto/ssh. These issues could impact Gatekeeper deployments that use these libraries. Gatekeeper v3. 15.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Gatekeeper is a validating webhook with auditing capabilities that enforces custom resource definition-based policies using the Open Policy Agent (OPA). In version 3.15.4, Red Hat fixed two security issues: CVE-2025-22868, an unexpected memory consumption during token parsing in the golang.org/x/oauth2 library, and CVE-2025-22869, a denial of service vulnerability in the key exchange of golang.org/x/crypto/ssh. These vulnerabilities affect Gatekeeper components that rely on these libraries. The advisory notes that starting with v3.15, certain namespaces are exempt from admission control by default. The fixes are included in Gatekeeper v3.15.4, which is supported through Red Hat Advanced Cluster Management for Kubernetes subscriptions.
Potential Impact
The vulnerabilities could cause unexpected memory consumption and denial of service conditions in Gatekeeper deployments using the affected golang libraries. This may lead to degraded service availability or resource exhaustion in Kubernetes environments where Gatekeeper is deployed. No known exploits in the wild have been reported. The impact is rated as high severity by Red Hat.
Mitigation Recommendations
Red Hat has released Gatekeeper version 3.15.4 which includes fixes for CVE-2025-22868 and CVE-2025-22869. Users should upgrade to Gatekeeper v3.15.4 to remediate these vulnerabilities. Gatekeeper is supported through a Red Hat Advanced Cluster Management for Kubernetes subscription, and users should follow the official upgrade and installation documentation. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2025:3053
- Cve Count
- 2
- Additional Cves
- ["CVE-2025-22869"]
- Cvss Version
- null
Threat ID: 6a160973e29bf47b5063d229
Added to database: 5/26/2026, 8:58:27 PM
Last enriched: 5/27/2026, 12:18:38 AM
Last updated: 5/27/2026, 4:50:16 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.