Kubernetes maintainers disclosed CVE-2022-3172 in September 2022, a URL-redirection flaw (CWE-601) in the aggregated API layer of kube-apiserver that lets a malicious or compromised aggregated API service redirect authenticated client traffic — including requests issued by tools built on the official Kubernetes Python client — to an attacker-chosen destination. In practice, this means a backend extension API server that a cluster trusts can quietly reroute API calls made through the aggregation layer, potentially exposing bearer tokens, service account credentials, or sensitive payloads to an endpoint the cluster operator never intended to talk to. For platform teams running Python-based operators, CI/CD controllers, or internal tooling against Kubernetes clusters, this is a reminder that client-side trust in server responses is not automatic — and that the transitive dependency chain between kube-apiserver and the libraries used to talk to it matters for security posture.
What the vulnerability actually does
Kubernetes supports API aggregation, a mechanism that lets cluster operators register additional API servers (via APIService objects) that extend the core Kubernetes API surface — metrics servers, service meshes, and custom resource backends commonly use this pattern. When a client sends a request that kube-apiserver proxies to one of these aggregated backends, the backend is expected to return a normal API response. CVE-2022-3172 exists because kube-apiserver's proxy logic did not adequately restrict redirect responses coming back from an aggregated API server. A misbehaving or compromised backend could respond with an HTTP redirect (a 3xx status with a Location header pointing anywhere, including internal cluster addresses or external attacker-controlled hosts), and the proxying layer would pass that redirect along to the calling client.
Any client that follows redirects automatically — which is the default behavior for many HTTP libraries underlying the Kubernetes Python client, such as urllib3 — can end up sending a follow-up request, potentially carrying the same authentication headers, to a destination the cluster administrator never authorized. This turns a single compromised or misconfigured aggregated backend into a pivot point for credential exfiltration or internal network probing, entirely from inside a trust boundary that operators assumed was closed.
Affected versions and components
- Core component:
kube-apiserver's aggregated API proxy handling. - Affected releases: Kubernetes versions prior to v1.22.14, v1.23.11, v1.24.5, and v1.25.0.
- Fixed releases: v1.22.14, v1.23.11, v1.24.5, v1.25.0, and all later minor/patch releases.
- Downstream exposure: Any client library or automation that talks to a cluster through the aggregation layer inherits the risk, including the official Kubernetes Python client (
kubernetespackage on PyPI) and its transitive HTTP dependencies (urllib3,requests), as well asclient-go-based tools,kubectlproxy usage, and custom operators. The vulnerability is not a defect in the Python client's own code — it's a server-side flaw whose blast radius extends to every client that trusts the responseskube-apiserverforwards. - Precondition: An attacker needs the ability to register or influence the behavior of an aggregated API service in the target cluster — typically requiring existing cluster-admin-adjacent privileges or compromise of a legitimately registered extension API server (e.g., a metrics-server, service mesh control plane, or third-party operator with a registered
APIService).
CVSS, EPSS, and KEV context
NVD scored CVE-2022-3172 with a CVSS v3.1 base score of 3.9 (Low), reflecting the network attack vector combined with a high attack-complexity requirement and the need for elevated privileges to register or control an aggregated backend in the first place — this is not a remotely exploitable, unauthenticated bug. EPSS exploitation-probability estimates for this CVE have historically sat well under 1%, consistent with a low-severity issue that requires an unusual, privileged attack setup rather than broad internet-facing exposure. As of this writing, CVE-2022-3172 does not appear on CISA's Known Exploited Vulnerabilities (KEV) catalog, and no public exploitation in the wild has been reported.
That said, low CVSS scores can be misleading in defense-in-depth terms. The realistic threat model isn't a random internet attacker — it's a supply-chain or insider scenario: a compromised third-party operator, a malicious dependency shipped inside an aggregated API server's container image, or a misconfigured extension service. Given how many managed Kubernetes add-ons (metrics pipelines, service meshes, admission controllers) register themselves as aggregated APIs, this vulnerability sits squarely in software-supply-chain territory, which is exactly why it warrants attention alongside the traditional "patch and move on" CVE triage.
Timeline
- Kubernetes security release, September 22, 2022 — CVE-2022-3172 was disclosed publicly alongside a related aggregation-layer issue (CVE-2022-3162), both fixed in the same coordinated Kubernetes patch release.
- September 2022 — Fixed builds shipped: v1.22.14, v1.23.11, v1.24.5, and v1.25.0.
- Subsequent weeks — NVD published the CVSS scoring and CWE-601 classification; downstream distributions (managed Kubernetes providers, on-prem distributions) rolled the fix into their supported release trains.
- Since disclosure — No confirmed in-the-wild exploitation has been publicly reported, and the CVE has not been added to CISA KEV, but the underlying pattern (untrusted redirects through a trusted proxy layer) remains relevant to any environment that relies on API aggregation.
Remediation steps
- Upgrade
kube-apiserverto v1.22.14, v1.23.11, v1.24.5, v1.25.0, or later. This is the authoritative fix — the proxy logic itself needed to change, and no client-side workaround fully closes the gap. - Inventory your
APIServiceobjects. Runkubectl get apiservicesand review every aggregated backend registered in each cluster. Confirm each one is still expected, still maintained, and sourced from a trusted image. - Tighten RBAC on
APIServicecreation and modification. Only cluster administrators (not arbitrary namespace-scoped service accounts) should be able to register or alter aggregated API services — this directly narrows the precondition attackers need. - Audit client-side redirect handling. If you maintain internal tooling or operators built on the Kubernetes Python client, review whether your HTTP transport (
urllib3/requests) is configured to follow redirects automatically when talking to the API server, and disable that behavior where it isn't strictly necessary. - Pin and track dependency versions. Keep the
kubernetesPyPI package and itsurllib3/requestsdependencies current, and track them in your software bill of materials so a future advisory affecting those libraries doesn't go unnoticed. - Constrain network egress from aggregated backends and from nodes running
kube-apiserver. Network policies that limit where proxied traffic can actually terminate reduce the value of a successful redirect even if one occurs. - Monitor audit logs for unexpected proxy destinations or anomalous traffic patterns associated with aggregated API calls, particularly around the time any new extension API server is registered.
How Safeguard Helps
Safeguard's reachability analysis takes CVEs like CVE-2022-3172 out of the abstract "patch everything, eventually" bucket and tells you precisely which clusters, services, and Python codebases actually exercise the vulnerable aggregation-proxy code path — so your team isn't burning cycles on components that never touch it. Griffin AI, Safeguard's autonomous triage engine, correlates the CVE against your live SBOM inventory, cross-references kube-apiserver versions and Kubernetes client library versions across every environment, and flags registered APIService objects that widen your actual attack surface. Continuous SBOM generation and ingestion — including third-party and vendor-supplied SBOMs for operators and extension API servers — means you have a standing, queryable record of exactly which aggregated backends and client dependencies are in play, without waiting for the next manual audit. When a fix path exists, Safeguard's auto-fix PRs open the version bump directly against your manifests and dependency files, so remediation moves from a ticket in a backlog to a reviewable pull request. Together, these capabilities turn a low-CVSS, easy-to-deprioritize advisory into a concrete, auditable remediation workflow rather than a line item that quietly ages out of scope.